Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
build.exe

Overview

General Information

Sample name:build.exe
Analysis ID:1526421
MD5:76a22609f559db1a73201b95a09053e7
SHA1:56d1d8da4e5cea24045cfadc46df0d01be4f161c
SHA256:b39fc625927448fa634bf0241a8eabd228d9acffb3e66e1091eb1a7cb3f9d719
Tags:exeuser-aachum
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Explorer NOUACCHECK Flag
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion NT Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • build.exe (PID: 7040 cmdline: "C:\Users\user\Desktop\build.exe" MD5: 76A22609F559DB1A73201B95A09053E7)
    • conhost.exe (PID: 7056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • explorer.exe (PID: 6360 cmdline: "C:\Windows\explorer.exe" MD5: 662F4F92FDE3557E86D110526BB578D5)
    • cvtres.exe (PID: 6316 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 193.142.146.64 2015 VOerOCQof MD5: 70D838A7DC5B359C3F938A71FAD77DB0)
  • explorer.exe (PID: 2472 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • explorer.exe (PID: 4940 cmdline: C:\Windows\explorer.exe /NoUACCheck MD5: 662F4F92FDE3557E86D110526BB578D5)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Process Memory Space: build.exe PID: 7040JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: cvtres.exe PID: 6316JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      System Summary

      barindex
      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\explorer.exe /NoUACCheck, CommandLine: C:\Windows\explorer.exe /NoUACCheck, CommandLine|base64offset|contains: y, Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Windows\explorer.exe /NoUACCheck, ProcessId: 2472, ProcessName: explorer.exe
      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: explorer.exe, C:\Users\user\AppData\Roaming\fOWeBGYAp\TxTKzZWFO.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\build.exe, ProcessId: 7040, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
      No Suricata rule has matched

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Source: build.exeAvira: detected
      Source: C:\Users\user\AppData\Roaming\fOWeBGYAp\TxTKzZWFO.exeAvira: detection malicious, Label: TR/Dropper.Gen
      Source: C:\Users\user\AppData\Roaming\fOWeBGYAp\TxTKzZWFO.exeReversingLabs: Detection: 73%
      Source: build.exeReversingLabs: Detection: 73%
      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
      Source: C:\Users\user\AppData\Roaming\fOWeBGYAp\TxTKzZWFO.exeJoe Sandbox ML: detected
      Source: build.exeJoe Sandbox ML: detected
      Source: build.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      Source: build.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\build.exeCode function: 4x nop then jmp 009D2F4Dh0_2_009D2AE0
      Source: C:\Users\user\Desktop\build.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]0_2_009D64E8
      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 193.142.146.64:2015
      Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
      Source: Joe Sandbox ViewIP Address: 34.117.59.81 34.117.59.81
      Source: unknownDNS query: name: ipinfo.io
      Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
      Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
      Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
      Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.64
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET /ip HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: ipinfo.io
      Source: cvtres.exe, 00000003.00000002.4167328220.0000000002958000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000003.00000002.4167328220.0000000002950000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io
      Source: build.exe, 00000000.00000002.1717332096.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000003.00000002.4166213175.0000000000977000.00000004.00000020.00020000.00000000.sdmp, cvtres.exe, 00000003.00000002.4167328220.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000003.00000002.4166008887.0000000000402000.00000040.00000400.00020000.00000000.sdmp, cvtres.exe, 00000003.00000002.4167328220.000000000292C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
      Source: cvtres.exe, 00000003.00000002.4166213175.0000000000977000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ipbP
      Source: cvtres.exe, 00000003.00000002.4167328220.0000000002958000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.iod
      Source: cvtres.exe, 00000003.00000002.4167328220.0000000002941000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: cvtres.exe, 00000003.00000002.4166008887.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://i.imgur.com/A6jEbUB.png
      Source: C:\Users\user\Desktop\build.exeCode function: 0_2_009D2F70 CreateDesktopW,0_2_009D2F70

      System Summary

      barindex
      Source: build.exe, HVNC.csLarge array initialization: StartHVNC: array initializer size 19424
      Source: TxTKzZWFO.exe.0.dr, HVNC.csLarge array initialization: StartHVNC: array initializer size 19424
      Source: 0.2.build.exe.2707d9c.1.raw.unpack, HVNC.csLarge array initialization: StartHVNC: array initializer size 19424
      Source: C:\Users\user\Desktop\build.exeCode function: 0_2_009D08480_2_009D0848
      Source: C:\Users\user\Desktop\build.exeCode function: 0_2_009D34090_2_009D3409
      Source: C:\Users\user\Desktop\build.exeCode function: 0_2_009D07A90_2_009D07A9
      Source: C:\Users\user\Desktop\build.exeCode function: 0_2_009D07E80_2_009D07E8
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 3_2_026C62A33_2_026C62A3
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 3_2_026C984B3_2_026C984B
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 3_2_026C98583_2_026C9858
      Source: build.exe, 00000000.00000002.1717332096.00000000026D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDLL.exe" vs build.exe
      Source: build.exe, 00000000.00000002.1717332096.00000000026D6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs build.exe
      Source: build.exe, 00000000.00000002.1715709027.0000000000A1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs build.exe
      Source: build.exe, 00000000.00000000.1711052198.000000000037C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs build.exe
      Source: build.exeBinary or memory string: OriginalFilenameStub.exe" vs build.exe
      Source: build.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
      Source: build.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: TxTKzZWFO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: build.exe, HVNC.csCryptographic APIs: 'CreateDecryptor'
      Source: TxTKzZWFO.exe.0.dr, HVNC.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.2.build.exe.2707d9c.1.raw.unpack, HVNC.csCryptographic APIs: 'CreateDecryptor'
      Source: build.exe, Installer.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb24=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c'
      Source: TxTKzZWFO.exe.0.dr, Installer.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb24=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c'
      Source: 0.2.build.exe.2707d9c.1.raw.unpack, Installer.csBase64 encoded string: 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb24=', 'U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3MgTlRcQ3VycmVudFZlcnNpb25cV2lubG9nb25c'
      Source: classification engineClassification label: mal100.evad.winEXE@8/3@1/2
      Source: C:\Users\user\Desktop\build.exeFile created: C:\Users\user\AppData\Roaming\fOWeBGYApJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMutant created: NULL
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMutant created: \Sessions\1\BaseNamedObjects\VOerOCQof
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7056:120:WilError_03
      Source: C:\Users\user\Desktop\build.exeProcess created: C:\Windows\explorer.exe
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: unknownProcess created: C:\Windows\explorer.exe
      Source: C:\Users\user\Desktop\build.exeProcess created: C:\Windows\explorer.exeJump to behavior
      Source: build.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: build.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
      Source: C:\Windows\explorer.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\build.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: build.exeReversingLabs: Detection: 73%
      Source: C:\Users\user\Desktop\build.exeFile read: C:\Users\user\Desktop\build.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\build.exe "C:\Users\user\Desktop\build.exe"
      Source: C:\Users\user\Desktop\build.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\build.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"
      Source: C:\Users\user\Desktop\build.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 193.142.146.64 2015 VOerOCQof
      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
      Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /NoUACCheck
      Source: C:\Users\user\Desktop\build.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe"Jump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 193.142.146.64 2015 VOerOCQofJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\build.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ninput.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: starttiledata.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: usermgrcli.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: cscui.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: structuredquery.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.globalization.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: bcp47mrm.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: icu.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: mswb7.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: windows.storage.search.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: actxprxy.dllJump to behavior
      Source: C:\Windows\explorer.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32Jump to behavior
      Source: build.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: build.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: build.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

      Data Obfuscation

      barindex
      Source: build.exe, RunPE.cs.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
      Source: TxTKzZWFO.exe.0.dr, RunPE.cs.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
      Source: 0.2.build.exe.2707d9c.1.raw.unpack, RunPE.cs.Net Code: Run4 System.Reflection.Assembly.Load(byte[])
      Source: build.exeStatic PE information: 0xC09B1206 [Wed May 25 07:49:26 2072 UTC]
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeCode function: 3_2_026C0D37 push esp; retn 00D8h3_2_026C0D61
      Source: build.exeStatic PE information: section name: .text entropy: 7.321757044315469
      Source: TxTKzZWFO.exe.0.drStatic PE information: section name: .text entropy: 7.321757044315469
      Source: 0.2.build.exe.26dfec4.0.raw.unpack, ecWdQLGLZPEpl.csHigh entropy of concatenated method names: '_003CRandomString_003Eb__9_0', 'Main', 'nnaCNjrtItkZV', 'SAYEJqanTozA', 'ohQdkyWwQMgV', 'OsZKpDphEzib', 'EnYNDRmmEKB', 'nqrExhNnadhIL', 'sVvLgDNrOREdG', 'OZkUrptaNPEwXus'
      Source: 0.2.build.exe.26dfec4.0.raw.unpack, akXgkkFEexOmF.csHigh entropy of concatenated method names: '_003CFindHandle_003Eb__67_0', '_003CRenderScreenshot_003Eb__0', 'tdqyiiqlHqwkl', 'rJBcJYqRAGFo', 'cbGHnVuPSCfFXbHK', 'gZNlqUJMdIjWRF', 'qqnVVdTGHS', 'eXkpxzbmwONsIg', 'IHSUUtsSqtaGuA', 'jdZdGnxdvcgbm'
      Source: C:\Users\user\Desktop\build.exeFile created: C:\Users\user\AppData\Roaming\fOWeBGYAp\TxTKzZWFO.exeJump to dropped file

      Boot Survival

      barindex
      Source: C:\Users\user\Desktop\build.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ShellJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\build.exeMemory allocated: 9D0000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\build.exeMemory allocated: 2690000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\build.exeMemory allocated: 4690000 memory reserve | memory write watchJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 26C0000 memory reserve | memory write watchJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeMemory allocated: 2700000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\build.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 5739Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeWindow / User API: threadDelayed 4256Jump to behavior
      Source: C:\Users\user\Desktop\build.exe TID: 6148Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6440Thread sleep count: 5739 > 30Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6440Thread sleep time: -57390000s >= -30000sJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6440Thread sleep count: 4256 > 30Jump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe TID: 6440Thread sleep time: -42560000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeLast function: Thread delayed
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\build.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: cvtres.exe, 00000003.00000002.4166213175.0000000000977000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
      Source: C:\Users\user\Desktop\build.exeCode function: 0_2_009D68A2 LdrInitializeThunk,0_2_009D68A2
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\build.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Source: Yara matchFile source: Process Memory Space: build.exe PID: 7040, type: MEMORYSTR
      Source: Yara matchFile source: Process Memory Space: cvtres.exe PID: 6316, type: MEMORYSTR
      Source: build.exe, RunPE.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
      Source: build.exe, RunPE.csReference to suspicious API methods: Conversions.ToGenericParameter<CreateApi>((object)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi)))
      Source: build.exe, RunPE.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
      Source: build.exe, RunPE.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num2, length, 12288, 64)
      Source: build.exe, RunPE.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num4, data, bufferSize, ref bytesRead)
      Source: C:\Users\user\Desktop\build.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 protect: page execute and read and writeJump to behavior
      Source: C:\Users\user\Desktop\build.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000 value starts with: 4D5AJump to behavior
      Source: C:\Users\user\Desktop\build.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 400000Jump to behavior
      Source: C:\Users\user\Desktop\build.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 402000Jump to behavior
      Source: C:\Users\user\Desktop\build.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 40E000Jump to behavior
      Source: C:\Users\user\Desktop\build.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 410000Jump to behavior
      Source: C:\Users\user\Desktop\build.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe base: 692008Jump to behavior
      Source: C:\Users\user\Desktop\build.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 193.142.146.64 2015 VOerOCQofJump to behavior
      Source: build.exe, 00000000.00000002.1717332096.00000000026D6000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000003.00000002.4166008887.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
      Source: C:\Users\user\Desktop\build.exeQueries volume information: C:\Users\user\Desktop\build.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\build.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
      Native API
      1
      Create Account
      312
      Process Injection
      1
      Masquerading
      OS Credential Dumping11
      Security Software Discovery
      Remote Services11
      Archive Collected Data
      1
      Encrypted Channel
      Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault AccountsScheduled Task/Job1
      Registry Run Keys / Startup Folder
      1
      Registry Run Keys / Startup Folder
      1
      Disable or Modify Tools
      LSASS Memory1
      Process Discovery
      Remote Desktop ProtocolData from Removable Media1
      Non-Standard Port
      Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAt1
      DLL Side-Loading
      1
      DLL Side-Loading
      31
      Virtualization/Sandbox Evasion
      Security Account Manager31
      Virtualization/Sandbox Evasion
      SMB/Windows Admin SharesData from Network Shared Drive1
      Ingress Tool Transfer
      Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
      Process Injection
      NTDS1
      Application Window Discovery
      Distributed Component Object ModelInput Capture2
      Non-Application Layer Protocol
      Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      Deobfuscate/Decode Files or Information
      LSA Secrets1
      System Network Configuration Discovery
      SSHKeylogging2
      Application Layer Protocol
      Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
      Obfuscated Files or Information
      Cached Domain Credentials1
      File and Directory Discovery
      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
      Software Packing
      DCSync12
      System Information Discovery
      Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
      Timestomp
      Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
      DLL Side-Loading
      /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand
      SourceDetectionScannerLabelLink
      build.exe74%ReversingLabsByteCode-MSIL.Backdoor.Xhvnc
      build.exe100%AviraTR/Dropper.Gen
      build.exe100%Joe Sandbox ML
      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\fOWeBGYAp\TxTKzZWFO.exe100%AviraTR/Dropper.Gen
      C:\Users\user\AppData\Roaming\fOWeBGYAp\TxTKzZWFO.exe100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\fOWeBGYAp\TxTKzZWFO.exe74%ReversingLabsByteCode-MSIL.Backdoor.Xhvnc
      No Antivirus matches
      No Antivirus matches
      SourceDetectionScannerLabelLink
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
      NameIPActiveMaliciousAntivirus DetectionReputation
      ipinfo.io
      34.117.59.81
      truefalse
        unknown
        NameMaliciousAntivirus DetectionReputation
        http://ipinfo.io/ipfalse
          unknown
          NameSourceMaliciousAntivirus DetectionReputation
          http://ipinfo.iodcvtres.exe, 00000003.00000002.4167328220.0000000002958000.00000004.00000800.00020000.00000000.sdmpfalse
            unknown
            http://ipinfo.io/ipbPcvtres.exe, 00000003.00000002.4166213175.0000000000977000.00000004.00000020.00020000.00000000.sdmpfalse
              unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namecvtres.exe, 00000003.00000002.4167328220.0000000002941000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://ipinfo.iocvtres.exe, 00000003.00000002.4167328220.0000000002958000.00000004.00000800.00020000.00000000.sdmp, cvtres.exe, 00000003.00000002.4167328220.0000000002950000.00000004.00000800.00020000.00000000.sdmpfalse
                unknown
                https://i.imgur.com/A6jEbUB.pngcvtres.exe, 00000003.00000002.4166008887.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                  unknown
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  193.142.146.64
                  unknownNetherlands
                  208046HOSTSLICK-GERMANYNLfalse
                  34.117.59.81
                  ipinfo.ioUnited States
                  139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1526421
                  Start date and time:2024-10-05 16:37:04 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 5s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:11
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:build.exe
                  Detection:MAL
                  Classification:mal100.evad.winEXE@8/3@1/2
                  EGA Information:
                  • Successful, ratio: 50%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 73
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target cvtres.exe, PID 6316 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: build.exe
                  TimeTypeDescription
                  10:38:03API Interceptor8890399x Sleep call for process: cvtres.exe modified
                  15:38:02Task SchedulerRun new task: CreateExplorerShellUnelevatedTask path: C:\Windows\explorer.exe s>/NoUACCheck
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  193.142.146.64Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                    Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                      34.117.59.81YjcgpfVBcm.batGet hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      lePDF.cmdGet hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      6Mpsoq1.php.ps1Get hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      mjOiDa1hrN.batGet hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      8ym4cxJPyl.ps1Get hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      GKrKPXOkdF.zsb.dllGet hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      JuhnladbIs.qao.dllGet hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      bdsBbxwPyV.ena.dllGet hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      fblXRRCHON.pos.dllGet hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      GmsiIZXruf.hos.dllGet hashmaliciousUnknownBrowse
                      • ipinfo.io/json
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      ipinfo.iod1bc91bd44a0.exeGet hashmaliciousPrivateLoader, Stealc, VidarBrowse
                      • 34.117.59.81
                      setup.exeGet hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                      • 34.117.59.81
                      sqlite.dllGet hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      T3xpD9ZaYu.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                      • 34.117.59.81
                      66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                      • 34.117.59.81
                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                      • 34.117.59.81
                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                      • 34.117.59.81
                      OXrZ6fj4Hq.exeGet hashmaliciousNeshta, Oski Stealer, StormKitty, SugarDump, Vidar, XWormBrowse
                      • 34.117.59.81
                      Passport and card.vbsGet hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      HOSTSLICK-GERMANYNLub16vsLP6y.zipGet hashmaliciousRemcosBrowse
                      • 193.142.146.203
                      ISehgzqm2V.zipGet hashmaliciousRemcosBrowse
                      • 193.142.146.203
                      Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                      • 193.142.146.64
                      Form-8879_PDF.jarGet hashmaliciousUnknownBrowse
                      • 193.142.146.64
                      bot_library.exeGet hashmaliciousUnknownBrowse
                      • 193.142.146.43
                      SecuriteInfo.com.ELF.Mirai-CQT.17542.12898.elfGet hashmaliciousMiraiBrowse
                      • 193.142.146.10
                      arm7.elfGet hashmaliciousUnknownBrowse
                      • 193.142.146.10
                      SecuriteInfo.com.ELF.Mirai-CQU.1502.23988.elfGet hashmaliciousUnknownBrowse
                      • 193.142.146.10
                      arm7.elfGet hashmaliciousUnknownBrowse
                      • 193.142.146.10
                      SecuriteInfo.com.ELF.Mirai-CQU.22530.21245.elfGet hashmaliciousMiraiBrowse
                      • 193.142.146.10
                      GOOGLE-AS-APGoogleAsiaPacificPteLtdSGhttps://s3.amazonaws.com/r3e1272/Rco.html#4eyOul3510eTKK19nejdimaazo189TBUDIERNFIMTFBQ264510CRSG907S11Get hashmaliciousPhisherBrowse
                      • 34.117.39.58
                      http://nirothniroth.site/?p=22&fbclid=IwY2xjawFs_DdleHRuA2FlbQIxMQABHTdgZU6ok722L5RxKPR-zh7Gkm6BqZ8BcT950y1bxf6l0LKz0zslg7KJHw_aem__ldVm1UUndXAkwYRakjBzgGet hashmaliciousUnknownBrowse
                      • 34.117.77.79
                      https://lil-loveeeees.blogspot.com/Get hashmaliciousUnknownBrowse
                      • 34.117.77.79
                      ethaertharety.ps1Get hashmaliciousUnknownBrowse
                      • 34.117.77.79
                      d1bc91bd44a0.exeGet hashmaliciousPrivateLoader, Stealc, VidarBrowse
                      • 34.117.59.81
                      TsxJNxhxMJfQTd.ps1Get hashmaliciousUnknownBrowse
                      • 34.117.77.79
                      setup.exeGet hashmaliciousUnknownBrowse
                      • 34.117.59.81
                      hJABTqngKoJnTgLh.ps1Get hashmaliciousUnknownBrowse
                      • 34.117.77.79
                      https://go.hginsights.com/rs/214-HYO-692/images/HGGet hashmaliciousUnknownBrowse
                      • 34.117.177.207
                      file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                      • 34.117.59.81
                      No context
                      No context
                      Process:C:\Users\user\Desktop\build.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):617
                      Entropy (8bit):5.3554278163807965
                      Encrypted:false
                      SSDEEP:12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKharkvoDLI4MWuCv:MLU84qpE4KlKDE4KhKiKhIE4Ks
                      MD5:8378C2E2DA2FDD2FB813AA6E18705667
                      SHA1:EFA4CF7D0E19099EB95C3BCA32F6A5D111BFFF30
                      SHA-256:C12EA9B40BA290B624BB2DDAFD4CB2CDC1C05AE1F5F142899D53CF9C54DFFA06
                      SHA-512:69C0E61617DFD6F843ECBA8D9328D6737BADAFB622236D3AC79E03590AFAFC5523E10D5E52AD8ACABD71EF9F4B202A654A386E1DF799CC9219CA4678145CDFDD
                      Malicious:true
                      Reputation:moderate, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..
                      Process:C:\Users\user\Desktop\build.exe
                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):37376
                      Entropy (8bit):7.1308990174588125
                      Encrypted:false
                      SSDEEP:768:m10OhbWGFX9QY2A8ZaTJeXARCaib2Fgc44dxSi59J8:m1j7eYiZK1Lib2WGbSi59y
                      MD5:76A22609F559DB1A73201B95A09053E7
                      SHA1:56D1D8DA4E5CEA24045CFADC46DF0D01BE4F161C
                      SHA-256:B39FC625927448FA634BF0241A8EABD228D9ACFFB3E66E1091EB1A7CB3F9D719
                      SHA-512:1E334D876B6EE6E1DB1D8E7C4587F33096FB2476AD755E5D9C7329D00C4C9A35010B09912B85342811CEFB612E80B540548F4FD21126E49D86C13CA4468E48FF
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 74%
                      Reputation:low
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0................. ........@.. ....................................`.....................................K.......|............................................................................ ............... ..H............text....... ...................... ..`.rsrc...|...........................@..@.reloc..............................@..B.......................H........z...+......A....................................................0..................}..........j(....}....r...p.j(.....j(..... ....~....(................................(....(....}".....r...p}$...........~.....%(......o....r...p(.........~.........o5...& .K.......%.7...(....(....(.........rG..p(......,G.r...p......%...%.r...p.%...%.r...p.%...(....~......r...p~....(....&.+Ur...p(........,E.ry..p......%...%.r...p.%...%.r...p.%...(....~......r...p~....(....&..........*..
                      Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):10
                      Entropy (8bit):2.446439344671015
                      Encrypted:false
                      SSDEEP:3:MKV/z:MKBz
                      MD5:E27D47991851642F9EDCBA5827441DD5
                      SHA1:D2D3C1B59CDE8CA587E7AF6AA565D0B3A6AD69AB
                      SHA-256:0736DC7C3FEFD085EC17D24EF7BE290E4447B87A1196397DD3203D7C19EEACED
                      SHA-512:BEA4525CFC84C6C666628810723D2A28A2184AEC4F16F8F189425A2D669F62B5F89B00B5035D3B38A94629CF5B0EA5F3A4FD2B224A69C19B4450636AE9989205
                      Malicious:false
                      Reputation:low
                      Preview:10/05/2024
                      File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):7.1308990174588125
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:build.exe
                      File size:37'376 bytes
                      MD5:76a22609f559db1a73201b95a09053e7
                      SHA1:56d1d8da4e5cea24045cfadc46df0d01be4f161c
                      SHA256:b39fc625927448fa634bf0241a8eabd228d9acffb3e66e1091eb1a7cb3f9d719
                      SHA512:1e334d876b6ee6e1db1d8e7c4587f33096fb2476ad755e5d9c7329d00c4c9a35010b09912b85342811cefb612e80b540548f4fd21126e49d86c13ca4468e48ff
                      SSDEEP:768:m10OhbWGFX9QY2A8ZaTJeXARCaib2Fgc44dxSi59J8:m1j7eYiZK1Lib2WGbSi59y
                      TLSH:49F2C01463ED9E46E56D0DB84FF38A008BF0E6D11963E74F28C48089D7A37694AA17B6
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................`................................
                      Icon Hash:90cececece8e8eb0
                      Entrypoint:0x40a6ee
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows cui
                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0xC09B1206 [Wed May 25 07:49:26 2072 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0xa6a00x4b.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x57c.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0xa6840x1c.text
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x86f40x8800d0c9073e4bde4f13ccd64a67e418df2fFalse0.8003791360294118data7.321757044315469IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0xc0000x57c0x600a97a34508c12d857871a91f00cd2479fFalse0.4075520833333333data3.9774317822717205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0xe0000xc0x20081416023e10a096458e5fbc41a4bf984False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0xc0900x2ecdata0.4344919786096257
                      RT_MANIFEST0xc38c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                      DLLImport
                      mscoree.dll_CorExeMain
                      TimestampSource PortDest PortSource IPDest IP
                      Oct 5, 2024 16:38:02.442990065 CEST497302015192.168.2.4193.142.146.64
                      Oct 5, 2024 16:38:02.448379993 CEST201549730193.142.146.64192.168.2.4
                      Oct 5, 2024 16:38:02.448492050 CEST497302015192.168.2.4193.142.146.64
                      Oct 5, 2024 16:38:03.349845886 CEST4973180192.168.2.434.117.59.81
                      Oct 5, 2024 16:38:03.354971886 CEST804973134.117.59.81192.168.2.4
                      Oct 5, 2024 16:38:03.355037928 CEST4973180192.168.2.434.117.59.81
                      Oct 5, 2024 16:38:03.356287956 CEST4973180192.168.2.434.117.59.81
                      Oct 5, 2024 16:38:03.361126900 CEST804973134.117.59.81192.168.2.4
                      Oct 5, 2024 16:38:03.839647055 CEST804973134.117.59.81192.168.2.4
                      Oct 5, 2024 16:38:03.887738943 CEST497302015192.168.2.4193.142.146.64
                      Oct 5, 2024 16:38:03.893629074 CEST4973180192.168.2.434.117.59.81
                      Oct 5, 2024 16:38:03.894247055 CEST201549730193.142.146.64192.168.2.4
                      Oct 5, 2024 16:38:03.894311905 CEST497302015192.168.2.4193.142.146.64
                      Oct 5, 2024 16:38:03.900902033 CEST201549730193.142.146.64192.168.2.4
                      Oct 5, 2024 16:39:43.848033905 CEST4973180192.168.2.434.117.59.81
                      Oct 5, 2024 16:39:43.853061914 CEST804973134.117.59.81192.168.2.4
                      Oct 5, 2024 16:39:43.853146076 CEST4973180192.168.2.434.117.59.81
                      TimestampSource PortDest PortSource IPDest IP
                      Oct 5, 2024 16:38:03.225924015 CEST5305053192.168.2.41.1.1.1
                      Oct 5, 2024 16:38:03.269551992 CEST53530501.1.1.1192.168.2.4
                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Oct 5, 2024 16:38:03.225924015 CEST192.168.2.41.1.1.10x376eStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Oct 5, 2024 16:38:03.269551992 CEST1.1.1.1192.168.2.40x376eNo error (0)ipinfo.io34.117.59.81A (IP address)IN (0x0001)false
                      • ipinfo.io
                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.44973134.117.59.81806316C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      TimestampBytes transferredDirectionData
                      Oct 5, 2024 16:38:03.356287956 CEST61OUTGET /ip HTTP/1.1
                      Host: ipinfo.io
                      Connection: Keep-Alive
                      Oct 5, 2024 16:38:03.839647055 CEST240INHTTP/1.1 200 OK
                      date: Sat, 05 Oct 2024 14:38:03 GMT
                      content-type: text/plain; charset=utf-8
                      Content-Length: 11
                      access-control-allow-origin: *
                      via: 1.1 google
                      strict-transport-security: max-age=2592000; includeSubDomains
                      Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                      Data Ascii: 8.46.123.33


                      Click to jump to process

                      Click to jump to process

                      Click to dive into process behavior distribution

                      Click to jump to process

                      Target ID:0
                      Start time:10:37:59
                      Start date:05/10/2024
                      Path:C:\Users\user\Desktop\build.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\build.exe"
                      Imagebase:0x370000
                      File size:37'376 bytes
                      MD5 hash:76A22609F559DB1A73201B95A09053E7
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:low
                      Has exited:true

                      Target ID:1
                      Start time:10:37:59
                      Start date:05/10/2024
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      Target ID:2
                      Start time:10:37:59
                      Start date:05/10/2024
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Windows\explorer.exe"
                      Imagebase:0x7ff72b770000
                      File size:5'141'208 bytes
                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:3
                      Start time:10:38:00
                      Start date:05/10/2024
                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Default 193.142.146.64 2015 VOerOCQof
                      Imagebase:0x5a0000
                      File size:46'832 bytes
                      MD5 hash:70D838A7DC5B359C3F938A71FAD77DB0
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate
                      Has exited:false

                      Target ID:4
                      Start time:10:38:00
                      Start date:05/10/2024
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\explorer.exe /NoUACCheck
                      Imagebase:0x7ff72b770000
                      File size:5'141'208 bytes
                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Target ID:5
                      Start time:10:38:02
                      Start date:05/10/2024
                      Path:C:\Windows\explorer.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\explorer.exe /NoUACCheck
                      Imagebase:0x7ff72b770000
                      File size:5'141'208 bytes
                      MD5 hash:662F4F92FDE3557E86D110526BB578D5
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      Reset < >

                        Execution Graph

                        Execution Coverage:24.9%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:23.3%
                        Total number of Nodes:73
                        Total number of Limit Nodes:6
                        execution_graph 4093 9d0848 4094 9d0868 4093->4094 4102 9d04dc 4094->4102 4096 9d08ac 4106 9d2ae0 4096->4106 4098 9d0969 4103 9d0980 GetConsoleWindow 4102->4103 4105 9d0a02 4103->4105 4105->4096 4107 9d2b23 4106->4107 4141 9d264e 4107->4141 4145 9d2658 4107->4145 4108 9d2cd4 4109 9d0937 4108->4109 4112 9d3329 12 API calls 4108->4112 4113 9d3338 12 API calls 4108->4113 4109->4098 4114 9d3fc0 4109->4114 4127 9d41e8 4109->4127 4112->4109 4113->4109 4115 9d3ff7 4114->4115 4116 9d41af 4115->4116 4149 9d629d 4115->4149 4153 9d62f0 4115->4153 4157 9d62c0 4115->4157 4161 9d6194 4115->4161 4165 9d6205 4115->4165 4169 9d64e8 4115->4169 4173 9d6278 4115->4173 4177 9d6288 4115->4177 4181 9d61d8 4115->4181 4185 9d615c 4115->4185 4116->4098 4128 9d41f6 4127->4128 4130 9d417f 4127->4130 4129 9d41af 4129->4098 4130->4129 4131 9d629d KiUserExceptionDispatcher 4130->4131 4132 9d615c KiUserExceptionDispatcher 4130->4132 4133 9d61d8 KiUserExceptionDispatcher 4130->4133 4134 9d6288 KiUserExceptionDispatcher 4130->4134 4135 9d6278 KiUserExceptionDispatcher 4130->4135 4136 9d64e8 KiUserExceptionDispatcher 4130->4136 4137 9d6205 KiUserExceptionDispatcher 4130->4137 4138 9d6194 KiUserExceptionDispatcher 4130->4138 4139 9d62c0 KiUserExceptionDispatcher 4130->4139 4140 9d62f0 KiUserExceptionDispatcher 4130->4140 4131->4130 4132->4130 4133->4130 4134->4130 4135->4130 4136->4130 4137->4130 4138->4130 4139->4130 4140->4130 4142 9d26df CreateProcessA 4141->4142 4144 9d293c 4142->4144 4146 9d26df CreateProcessA 4145->4146 4148 9d293c 4146->4148 4150 9d62af KiUserExceptionDispatcher 4149->4150 4152 9d6563 4150->4152 4152->4115 4154 9d650f KiUserExceptionDispatcher 4153->4154 4155 9d650a 4153->4155 4156 9d6563 4154->4156 4155->4154 4156->4115 4159 9d627d 4157->4159 4158 9d650f KiUserExceptionDispatcher 4160 9d6563 4158->4160 4159->4157 4159->4158 4160->4115 4162 9d6161 4161->4162 4162->4161 4163 9d650f KiUserExceptionDispatcher 4162->4163 4164 9d6563 4163->4164 4164->4115 4167 9d620d KiUserExceptionDispatcher 4165->4167 4168 9d6563 4167->4168 4168->4115 4170 9d650f KiUserExceptionDispatcher 4169->4170 4171 9d650a 4169->4171 4172 9d6563 4170->4172 4171->4170 4172->4115 4175 9d627d KiUserExceptionDispatcher 4173->4175 4176 9d6563 4175->4176 4176->4115 4179 9d61df KiUserExceptionDispatcher 4177->4179 4180 9d6563 4179->4180 4180->4115 4182 9d61df KiUserExceptionDispatcher 4181->4182 4184 9d6563 4182->4184 4184->4115 4186 9d6161 KiUserExceptionDispatcher 4185->4186 4188 9d6563 4186->4188 4188->4115 4189 9d2f70 4190 9d2fbd CreateDesktopW 4189->4190 4192 9d3073 4190->4192

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 135 9d2f70-9d2fcc 137 9d2fce-9d2fdd 135->137 138 9d2fe0-9d3071 CreateDesktopW 135->138 137->138 139 9d307a-9d30be 138->139 140 9d3073-9d3079 138->140 140->139
                        APIs
                        • CreateDesktopW.USER32(?,?,?,?,?), ref: 009D3061
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: CreateDesktop
                        • String ID: 2*:y
                        • API String ID: 3054513912-1120680929
                        • Opcode ID: 9ac5eb4b35313624f32088399950649fc46b29647b8a26f722a32843d927e698
                        • Instruction ID: 467c0926ee4358370bb3a00f8fa24794cc5bb16e7440e607196fc5b73d37d4bf
                        • Opcode Fuzzy Hash: 9ac5eb4b35313624f32088399950649fc46b29647b8a26f722a32843d927e698
                        • Instruction Fuzzy Hash: 914198B5D002188FCF10CFA9D884A9EFBB5BF59310F14902AE819BB320D775AA45CF94
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID:
                        • String ID: (
                        • API String ID: 0-3887548279
                        • Opcode ID: f7844fd8fab9ff5e9eb5461bfcf76a30092dc970b98bf4440494c72ce618729b
                        • Instruction ID: dffadeb7a4eaf59247f5064c478f0da99bddd417d86579fca38eecc299e2d187
                        • Opcode Fuzzy Hash: f7844fd8fab9ff5e9eb5461bfcf76a30092dc970b98bf4440494c72ce618729b
                        • Instruction Fuzzy Hash: 5062D0749012298FDB64DF25C994BEDBBB2BF89305F1084EAD40DA7291DB349E85CF41
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 009D6543
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: ce9fea5597d4746caa5278e351f6eeb604e4036a23517127f083f9491e2f0e84
                        • Instruction ID: 0a764cb650b916478a82f4e3d227e22b85a7c860ae581d54708f5906d9f186ec
                        • Opcode Fuzzy Hash: ce9fea5597d4746caa5278e351f6eeb604e4036a23517127f083f9491e2f0e84
                        • Instruction Fuzzy Hash: 6EC1B078E01218CFDB54DFA4D994A9DBBB2FF49304F2085AAD809AB365DB309D81CF50
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 82d54a396f12512817dc8cb6ff1b46d3a5892041e5cdc129c6c90d8ac9db63b9
                        • Instruction ID: 11bf5ec4fb1f783ef1a5866a5abbc932364cf3ee5879d51dcf8d55b574d0d871
                        • Opcode Fuzzy Hash: 82d54a396f12512817dc8cb6ff1b46d3a5892041e5cdc129c6c90d8ac9db63b9
                        • Instruction Fuzzy Hash: 46C12474A00229DFEB25DF64CC50BADBBB6FB89300F1085AAE509A7395DB305A85DF50
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c098fc0dc8b449de343735e62bf12f65c6edcb3695b2037d1a07c2e12ad222ec
                        • Instruction ID: 59b0698f642d368137badb6d2492457a36c9d8e9678d07150130633df718e6ab
                        • Opcode Fuzzy Hash: c098fc0dc8b449de343735e62bf12f65c6edcb3695b2037d1a07c2e12ad222ec
                        • Instruction Fuzzy Hash: DE515E70D093999FCB06DF69D890ADEBFF2AF8A210F1980ABD454E7266D7300845CF91
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 13e29abcaa6d02feb90939b1a64a7a754130ae40e28cdfdc020a445e547fcc57
                        • Instruction ID: 891c9e48f8d8b82bdf551e5dbb710420d02524e61cf6fe4091172fda1ef8e4a6
                        • Opcode Fuzzy Hash: 13e29abcaa6d02feb90939b1a64a7a754130ae40e28cdfdc020a445e547fcc57
                        • Instruction Fuzzy Hash: 3C512A70D053589FCB45DFA9D890ADEBFF2AF8A210F1881ABD458E7265E7300846CF91
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 572e649d386164635321dc5754a97099d6e4afa47b44b8dda7cb4bc6b29652ce
                        • Instruction ID: 9067503ba6b474ee0e768b4c695197fbd83c5305f038d80c87fb3a84170def10
                        • Opcode Fuzzy Hash: 572e649d386164635321dc5754a97099d6e4afa47b44b8dda7cb4bc6b29652ce
                        • Instruction Fuzzy Hash: AE4175B4D01208AFDB48DFAAD991AADBBF6BB8D300F14D56AD818B3318E7345945CF50
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5ab3998aeed6df0b9c6b45779916709e5bd0235dc547877bb10657037ecc1d4b
                        • Instruction ID: 1ac142a2b10458021cd29fe7d89d8c1a6f7db16a9f6f339d7193c8038182eec5
                        • Opcode Fuzzy Hash: 5ab3998aeed6df0b9c6b45779916709e5bd0235dc547877bb10657037ecc1d4b
                        • Instruction Fuzzy Hash: FE31DF78E05208DFCB44DFA9D590ADDBBB2FF89300F14846AE814AB325DB35A942CF50

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 9d264e-9d26f1 2 9d273a-9d2762 0->2 3 9d26f3-9d270a 0->3 7 9d27a8-9d27fe 2->7 8 9d2764-9d2778 2->8 3->2 6 9d270c-9d2711 3->6 9 9d2734-9d2737 6->9 10 9d2713-9d271d 6->10 16 9d2844-9d293a CreateProcessA 7->16 17 9d2800-9d2814 7->17 8->7 18 9d277a-9d277f 8->18 9->2 11 9d271f 10->11 12 9d2721-9d2730 10->12 11->12 12->12 15 9d2732 12->15 15->9 36 9d293c-9d2942 16->36 37 9d2943-9d2a2c 16->37 17->16 26 9d2816-9d281b 17->26 19 9d2781-9d278b 18->19 20 9d27a2-9d27a5 18->20 21 9d278d 19->21 22 9d278f-9d279e 19->22 20->7 21->22 22->22 25 9d27a0 22->25 25->20 28 9d281d-9d2827 26->28 29 9d283e-9d2841 26->29 30 9d2829 28->30 31 9d282b-9d283a 28->31 29->16 30->31 31->31 33 9d283c 31->33 33->29 36->37 48 9d2a3c-9d2a40 37->48 49 9d2a2e-9d2a32 37->49 51 9d2a50-9d2a54 48->51 52 9d2a42-9d2a46 48->52 49->48 50 9d2a34 49->50 50->48 54 9d2a64-9d2a68 51->54 55 9d2a56-9d2a5a 51->55 52->51 53 9d2a48 52->53 53->51 57 9d2a9e-9d2aa9 54->57 58 9d2a6a-9d2a93 54->58 55->54 56 9d2a5c 55->56 56->54 62 9d2aaa 57->62 58->57 62->62
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 009D2927
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID: 2*:y$2*:y
                        • API String ID: 963392458-4186917192
                        • Opcode ID: 3e8cf88e802336f0da1c08ed6948a3568357cefda7f02f9e80a725bbf8397356
                        • Instruction ID: 579969e850e215bcdcfb79309c46d92f6e38e57e9e12e2a610002b62f4fcc458
                        • Opcode Fuzzy Hash: 3e8cf88e802336f0da1c08ed6948a3568357cefda7f02f9e80a725bbf8397356
                        • Instruction Fuzzy Hash: E6C13571D002198FCB25CFA8C841BEEBBF1BF59310F1091AAD859B7250DB749A85CF85

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 63 9d2658-9d26f1 65 9d273a-9d2762 63->65 66 9d26f3-9d270a 63->66 70 9d27a8-9d27fe 65->70 71 9d2764-9d2778 65->71 66->65 69 9d270c-9d2711 66->69 72 9d2734-9d2737 69->72 73 9d2713-9d271d 69->73 79 9d2844-9d293a CreateProcessA 70->79 80 9d2800-9d2814 70->80 71->70 81 9d277a-9d277f 71->81 72->65 74 9d271f 73->74 75 9d2721-9d2730 73->75 74->75 75->75 78 9d2732 75->78 78->72 99 9d293c-9d2942 79->99 100 9d2943-9d2a2c 79->100 80->79 89 9d2816-9d281b 80->89 82 9d2781-9d278b 81->82 83 9d27a2-9d27a5 81->83 84 9d278d 82->84 85 9d278f-9d279e 82->85 83->70 84->85 85->85 88 9d27a0 85->88 88->83 91 9d281d-9d2827 89->91 92 9d283e-9d2841 89->92 93 9d2829 91->93 94 9d282b-9d283a 91->94 92->79 93->94 94->94 96 9d283c 94->96 96->92 99->100 111 9d2a3c-9d2a40 100->111 112 9d2a2e-9d2a32 100->112 114 9d2a50-9d2a54 111->114 115 9d2a42-9d2a46 111->115 112->111 113 9d2a34 112->113 113->111 117 9d2a64-9d2a68 114->117 118 9d2a56-9d2a5a 114->118 115->114 116 9d2a48 115->116 116->114 120 9d2a9e-9d2aa9 117->120 121 9d2a6a-9d2a93 117->121 118->117 119 9d2a5c 118->119 119->117 125 9d2aaa 120->125 121->120 125->125
                        APIs
                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 009D2927
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID: 2*:y$2*:y
                        • API String ID: 963392458-4186917192
                        • Opcode ID: 659ec8c38625421e8b5253b8ed10d3c9bf6ee1c3dc237524fd9bd502938abfa6
                        • Instruction ID: 5ee251888d70dc76849dac174476df597b3b2bafb183098622012bd619c83e7b
                        • Opcode Fuzzy Hash: 659ec8c38625421e8b5253b8ed10d3c9bf6ee1c3dc237524fd9bd502938abfa6
                        • Instruction Fuzzy Hash: 4AC12571D002198FDB25CFA8C841BEDBBB1BF59300F1091AAD859B7240DB749A85CF85

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 126 9d2f69-9d2fcc 128 9d2fce-9d2fdd 126->128 129 9d2fe0-9d3071 CreateDesktopW 126->129 128->129 130 9d307a-9d30be 129->130 131 9d3073-9d3079 129->131 131->130
                        APIs
                        • CreateDesktopW.USER32(?,?,?,?,?), ref: 009D3061
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: CreateDesktop
                        • String ID: 2*:y
                        • API String ID: 3054513912-1120680929
                        • Opcode ID: 6f339315683065f4a59777233e1d1fcc612887bdc3345232ac506906bec5f39e
                        • Instruction ID: eaf3eefc21378d209f783db63a744cae4d630540c47d3223ceb69d6ef8668fec
                        • Opcode Fuzzy Hash: 6f339315683065f4a59777233e1d1fcc612887bdc3345232ac506906bec5f39e
                        • Instruction Fuzzy Hash: 9A4199B5D002588FCB10CFA9D884ADEFBB1BF59310F14912AE819BB221D775A949CF54

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 144 9d22d0-9d233b 146 9d233d-9d234f 144->146 147 9d2352-9d23b3 WriteProcessMemory 144->147 146->147 149 9d23bc-9d240e 147->149 150 9d23b5-9d23bb 147->150 150->149
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 009D23A3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID: 2*:y
                        • API String ID: 3559483778-1120680929
                        • Opcode ID: a665c92cd77825774b2c19faa3e3469f1a44fa1d4ed834c2832cc080709e155b
                        • Instruction ID: e415c907514af1f63a51f8d958ec3e2de7dcdd053c5e25aef58fb0d9cdd7d2f5
                        • Opcode Fuzzy Hash: a665c92cd77825774b2c19faa3e3469f1a44fa1d4ed834c2832cc080709e155b
                        • Instruction Fuzzy Hash: 744199B4D012589FCB10CFA9D984ADEFBF1FB59310F24942AE819B7240D739AA45CF64

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 155 9d22c8-9d233b 157 9d233d-9d234f 155->157 158 9d2352-9d23b3 WriteProcessMemory 155->158 157->158 160 9d23bc-9d240e 158->160 161 9d23b5-9d23bb 158->161 161->160
                        APIs
                        • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 009D23A3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: MemoryProcessWrite
                        • String ID: 2*:y
                        • API String ID: 3559483778-1120680929
                        • Opcode ID: 0596e0bd1913725fb82b735b5b70dde60bd725a198fa6bf4d9e8e2ea933178b0
                        • Instruction ID: 4186f43cc9460fa0049210274bfc6be69cbd4d4f8f9933885d7130a178c5b01b
                        • Opcode Fuzzy Hash: 0596e0bd1913725fb82b735b5b70dde60bd725a198fa6bf4d9e8e2ea933178b0
                        • Instruction Fuzzy Hash: 4D41BCB4D012588FCF00CFA9D984ADEFBF1BB59310F24942AE819B7240D739AA45CF54

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 166 9d2421-9d24ea ReadProcessMemory 169 9d24ec-9d24f2 166->169 170 9d24f3-9d2545 166->170 169->170
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 009D24DA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID: 2*:y
                        • API String ID: 1726664587-1120680929
                        • Opcode ID: 5d1d79c4444f4e6fba2a6ff2ebc3d164f92d3c8d01b75b10b326225eae4758f9
                        • Instruction ID: c4903082b04cb640b533988cb6a0685b7fc41210e669bf77ccccdd2f91b99590
                        • Opcode Fuzzy Hash: 5d1d79c4444f4e6fba2a6ff2ebc3d164f92d3c8d01b75b10b326225eae4758f9
                        • Instruction Fuzzy Hash: 6341AAB9D002589FCF10CFAAD884AEEFBB1BB59310F14942AE819B7250D735A945CF64

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 175 9d2428-9d24ea ReadProcessMemory 178 9d24ec-9d24f2 175->178 179 9d24f3-9d2545 175->179 178->179
                        APIs
                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 009D24DA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: MemoryProcessRead
                        • String ID: 2*:y
                        • API String ID: 1726664587-1120680929
                        • Opcode ID: 34d2063756d8709b81c13ff75fdec8b2638ee9548cf97cfa0706e93c2f9e2a71
                        • Instruction ID: d3111f69753586847ba5989028349a400f4aa33b19e95792f654c62a7fd6bad3
                        • Opcode Fuzzy Hash: 34d2063756d8709b81c13ff75fdec8b2638ee9548cf97cfa0706e93c2f9e2a71
                        • Instruction Fuzzy Hash: ED41ABB5D002589FCF10CFAAD884ADEFBB1FB59310F10942AE815B7250D735A945CF68

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 184 9d21b0-9d226a VirtualAllocEx 187 9d226c-9d2272 184->187 188 9d2273-9d22bd 184->188 187->188
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 009D225A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: 2*:y
                        • API String ID: 4275171209-1120680929
                        • Opcode ID: f6bb8172739e1606d6838896c8ba5d70a0380b578a155f0524e3d1fd3977421e
                        • Instruction ID: e20b00271457be5648ff0ed295189b74d588f28721642e7b8fd9a9e43f84bb3a
                        • Opcode Fuzzy Hash: f6bb8172739e1606d6838896c8ba5d70a0380b578a155f0524e3d1fd3977421e
                        • Instruction Fuzzy Hash: F83198B8D002589FCF14CFA9D884A9EFBB1FB59310F10942AE825B7300D735A946CF58

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 193 9d21a9-9d226a VirtualAllocEx 196 9d226c-9d2272 193->196 197 9d2273-9d22bd 193->197 196->197
                        APIs
                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 009D225A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: AllocVirtual
                        • String ID: 2*:y
                        • API String ID: 4275171209-1120680929
                        • Opcode ID: d1d6f540515bd0df8f7c02d8ec14bbf6c9a058345ec3f54503ebc907af6a0a20
                        • Instruction ID: 588b1805192fdcd666d4ef23f4ec6342442054d3d97c6955b0215c5c32c1a6e3
                        • Opcode Fuzzy Hash: d1d6f540515bd0df8f7c02d8ec14bbf6c9a058345ec3f54503ebc907af6a0a20
                        • Instruction Fuzzy Hash: 3E31A8B8D002589FCF14CFA9D980A9EFBB1FB59310F20941AE829B7210D735A942CF58

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 202 9d2081-9d20e8 204 9d20ff-9d2147 Wow64SetThreadContext 202->204 205 9d20ea-9d20fc 202->205 207 9d2149-9d214f 204->207 208 9d2150-9d219c 204->208 205->204 207->208
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 009D2137
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID: 2*:y
                        • API String ID: 983334009-1120680929
                        • Opcode ID: 78a8fa8db7863293ef3026c3224628fe29bb4871997045d3287c33a18cc93c9d
                        • Instruction ID: be12444e847baaf6795f60052a4010b07ece920694319e1a5de09e294f3968f5
                        • Opcode Fuzzy Hash: 78a8fa8db7863293ef3026c3224628fe29bb4871997045d3287c33a18cc93c9d
                        • Instruction Fuzzy Hash: 7441BCB4D042589FCB14CFAAD884AEEFBF1BB59310F24802AE419B7340D7399945CF54

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 213 9d2088-9d20e8 215 9d20ff-9d2147 Wow64SetThreadContext 213->215 216 9d20ea-9d20fc 213->216 218 9d2149-9d214f 215->218 219 9d2150-9d219c 215->219 216->215 218->219
                        APIs
                        • Wow64SetThreadContext.KERNEL32(?,?), ref: 009D2137
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: ContextThreadWow64
                        • String ID: 2*:y
                        • API String ID: 983334009-1120680929
                        • Opcode ID: 85dad5102c144b335abda0e248fd793dc0fd974898c7f3a9db24a9fc0047bc9a
                        • Instruction ID: 90be1a5c8f8b949c895f79504f067708439a3ed8ca85a791cf225e784776df29
                        • Opcode Fuzzy Hash: 85dad5102c144b335abda0e248fd793dc0fd974898c7f3a9db24a9fc0047bc9a
                        • Instruction Fuzzy Hash: AA31B9B4D042589FCB10DFAAD884AEEFBF1BB59310F24802AE419B7340D739A985CF54

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 224 9d1228-9d12be ResumeThread 227 9d12c7-9d1309 224->227 228 9d12c0-9d12c6 224->228 228->227
                        APIs
                        • ResumeThread.KERNELBASE(?), ref: 009D12AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID: 2*:y
                        • API String ID: 947044025-1120680929
                        • Opcode ID: c498c23a7c419bbe0a1f354af6a5dc77f0d45e25390079d32370734020b474c0
                        • Instruction ID: 8fbd5b30bf4fe0dae529b7ad2bfee86d7d30daf69d8259ed4a6606c97679d02b
                        • Opcode Fuzzy Hash: c498c23a7c419bbe0a1f354af6a5dc77f0d45e25390079d32370734020b474c0
                        • Instruction Fuzzy Hash: A531BBB4D012589FCB14CFA9D985ADEFBB1AB49310F24951AE819B7340C735A941CF98

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 234 9d1230-9d12be ResumeThread 237 9d12c7-9d1309 234->237 238 9d12c0-9d12c6 234->238 238->237
                        APIs
                        • ResumeThread.KERNELBASE(?), ref: 009D12AE
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: ResumeThread
                        • String ID: 2*:y
                        • API String ID: 947044025-1120680929
                        • Opcode ID: 454214ec5cf6004dd359aed9554f4d160508a74bc2af9d1babb09e9d0fcba80e
                        • Instruction ID: 0a711ba3fe2019a88a1e069290d25ac604dab651159e26b5d3bc2e1e4019511f
                        • Opcode Fuzzy Hash: 454214ec5cf6004dd359aed9554f4d160508a74bc2af9d1babb09e9d0fcba80e
                        • Instruction Fuzzy Hash: BA31CCB4D002189FCB14CFAAD984A9EFBF5FB49310F10942AE919B7340C735A941CF98

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 244 9d04dc-9d0a00 GetConsoleWindow 247 9d0a09-9d0a35 244->247 248 9d0a02-9d0a08 244->248 248->247
                        APIs
                        • GetConsoleWindow.KERNELBASE ref: 009D09F0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: ConsoleWindow
                        • String ID: 2*:y
                        • API String ID: 2863861424-1120680929
                        • Opcode ID: a7d48140ce61797a8e06f8ba61e3976bb93231f77ab53c802692a3758fa3903a
                        • Instruction ID: f06ddfb862c40c3c8053b1f41108f7af7faca317959827d2262576617a012445
                        • Opcode Fuzzy Hash: a7d48140ce61797a8e06f8ba61e3976bb93231f77ab53c802692a3758fa3903a
                        • Instruction Fuzzy Hash: CD219AB8D002189FCB10CFA9D984A9EBBF4FB49310F20906AE819B7351D775A945CFA4
                        APIs
                        • GetConsoleWindow.KERNELBASE ref: 009D09F0
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: ConsoleWindow
                        • String ID: 2*:y
                        • API String ID: 2863861424-1120680929
                        • Opcode ID: e104eebb8d1d7f6c65b838fca77f65ddc74d1d9ccf08bfbbada4ef41407cc845
                        • Instruction ID: 17d09cad09535e91a4041f6dacbaf2d291798d5f2d5e87858ef2a436ea47637b
                        • Opcode Fuzzy Hash: e104eebb8d1d7f6c65b838fca77f65ddc74d1d9ccf08bfbbada4ef41407cc845
                        • Instruction Fuzzy Hash: AD21CCB8D042589FCB10CFA9D984ACEBBF4FB49310F20906AE818B7351D375A945CFA5
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b971dd2d228f17cb693f99eea002d8903726265494d1e06326f8a65f84deb378
                        • Instruction ID: 4051e1b03fa803170ea10b5fc5c60e8bea2b8835748bf3d19ad67b850e7018ed
                        • Opcode Fuzzy Hash: b971dd2d228f17cb693f99eea002d8903726265494d1e06326f8a65f84deb378
                        • Instruction Fuzzy Hash: 2B617974905218CFCB55DF68C884B99BBB2FF8A304F1484EAD408A7366D7309E85CF51
                        APIs
                        • KiUserExceptionDispatcher.NTDLL ref: 009D6543
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID: DispatcherExceptionUser
                        • String ID:
                        • API String ID: 6842923-0
                        • Opcode ID: 7f591b211fee5bd7486bd6e83ed404061dbd5f2eae88a531f9a9a0be05fa0d86
                        • Instruction ID: 07d163d09de23d3cc917d430ff3e21b1082290e13ae2b44c02c0b75c5ef5c858
                        • Opcode Fuzzy Hash: 7f591b211fee5bd7486bd6e83ed404061dbd5f2eae88a531f9a9a0be05fa0d86
                        • Instruction Fuzzy Hash: 9051DF78A01218CFDB54DF69C994B9DBBB2BF89304F1084EAD408A7366DB349E85CF11
                        Memory Dump Source
                        • Source File: 00000000.00000002.1715663653.00000000009D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 009D0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_9d0000_build.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7852b3690d0cf33fa0a78257433b3bd040d593f001e56a4a834ab79f0c8d8f3d
                        • Instruction ID: a632b709b88405a2f591eeeca42d76c02cd489ec59ecb528ec3a65b9ca0d8413
                        • Opcode Fuzzy Hash: 7852b3690d0cf33fa0a78257433b3bd040d593f001e56a4a834ab79f0c8d8f3d
                        • Instruction Fuzzy Hash: 6651C178A01218CFDB54DF69C994B9DBBB2FF89304F1094EAD408A7365DB309A85CF11
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID: Xbq$Xbq$$^q
                        • API String ID: 0-3405775106
                        • Opcode ID: 7b560292e478e931953e0d23bf166fd72195f66fe39f2e260c1f832bef1ebf56
                        • Instruction ID: 080020cc72f8f051f0fa6954ff7251991e38c35f00df08c0a8ad1f7c8971da39
                        • Opcode Fuzzy Hash: 7b560292e478e931953e0d23bf166fd72195f66fe39f2e260c1f832bef1ebf56
                        • Instruction Fuzzy Hash: DFC1CF74B042588BDB18AFB8985427E7FBBFFC5700B18C46ED84AD7395DE34880687A5
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID: xbq$$^q$$^q$C\Ep^
                        • API String ID: 0-1370529950
                        • Opcode ID: aea75958bece0b74ae66186cecfdba358ee6bb2abb5f3138a73ceaf9670b0961
                        • Instruction ID: 84c7d02c7def0c0e21b6001817ec288c705666158474ed943c45215342bd59e1
                        • Opcode Fuzzy Hash: aea75958bece0b74ae66186cecfdba358ee6bb2abb5f3138a73ceaf9670b0961
                        • Instruction Fuzzy Hash: FC917E347116149FCB09EB78D454B2E77E3EB88315F2084ADE80A9B3A8DF359C52CB91
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID: xbq$$^q$C\Ep^
                        • API String ID: 0-9597767
                        • Opcode ID: 9994d1d717025c94963f49a043286def41efafeb5e80264f5ebb8789bbfa2fca
                        • Instruction ID: 29f45954231dc75796a7aa40a48fd90304c0826ff129e8d035a7efa577d9bcda
                        • Opcode Fuzzy Hash: 9994d1d717025c94963f49a043286def41efafeb5e80264f5ebb8789bbfa2fca
                        • Instruction Fuzzy Hash: 3E818B347116149FCB09FB78D454B2E77A3EB88315F2084ADE80A9B3A9DF359C52CB91
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID: nKvq$nKvq
                        • API String ID: 0-2223595353
                        • Opcode ID: 599c1b6b6cc2002611ce51f5df8c99677d7bb63ace58d2474c3c695414765d7b
                        • Instruction ID: 617400dd347f9e4541d6166f22d0847d2cb4748b714127ad016ff443f0487ecc
                        • Opcode Fuzzy Hash: 599c1b6b6cc2002611ce51f5df8c99677d7bb63ace58d2474c3c695414765d7b
                        • Instruction Fuzzy Hash: DEC17275E006168FCB18DF68C8919AEBBB2FF88310B258649DD456B355DB30FC86CB90
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID: nKvq$nKvq
                        • API String ID: 0-2223595353
                        • Opcode ID: 17f4ad18218acfd8c128298774bfd588de2cbf4d40062841236b0f6aa6a59345
                        • Instruction ID: e666a1e6630a8a24c2495b54b5d0c74c09516f91df8b21b315200b569e1caf12
                        • Opcode Fuzzy Hash: 17f4ad18218acfd8c128298774bfd588de2cbf4d40062841236b0f6aa6a59345
                        • Instruction Fuzzy Hash: F2B11B75E006168FCB18DF58C8919AEB7B2FF88310B258659ED45AB355DB30FC86CB90
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID: dbq$dbq
                        • API String ID: 0-2758190078
                        • Opcode ID: d1240339b065ab9b0dc8f4f89c0cd33951105ef76317c7b44df5d033cd6d91f0
                        • Instruction ID: d229e049839eb51039ba7b73be76992bfb957d4204876040bc36feaef5448f9a
                        • Opcode Fuzzy Hash: d1240339b065ab9b0dc8f4f89c0cd33951105ef76317c7b44df5d033cd6d91f0
                        • Instruction Fuzzy Hash: 95513B74E11254DFCB04EFA8E9889ADBBF6FF88305B108469E406EB365DB319805CF51
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: cfdf95a4313bd9bb6bc9ec182b3b772643afb088505d6d30da9544f20268b8f5
                        • Instruction ID: 56d687c31ad76b4c870110cb75fa1d54d71a6cbc9661b3437c7adb407fe79de7
                        • Opcode Fuzzy Hash: cfdf95a4313bd9bb6bc9ec182b3b772643afb088505d6d30da9544f20268b8f5
                        • Instruction Fuzzy Hash: B2414A70B102149FDB18EB69D894B6DB7E6EF88714F2480AAE505EB3A1DB71DC41CB90
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID: dbq
                        • API String ID: 0-1887291361
                        • Opcode ID: 23b600f73c842c944eb8b30f09018929fcea8412316897fab3dafa377e2fac4d
                        • Instruction ID: 5d7b4b77cdcc4f80c7a1a52d2d9933501ce36bba0189812b6241de40151cb11c
                        • Opcode Fuzzy Hash: 23b600f73c842c944eb8b30f09018929fcea8412316897fab3dafa377e2fac4d
                        • Instruction Fuzzy Hash: AF514A78E11255CFCB04EFA8E98896CBBF6FF89305B2085A9E406DB365DB319905CF50
                        Strings
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID: XPrq
                        • API String ID: 0-2034928703
                        • Opcode ID: 13eb290df96c1772576405ddd6b52888a725fd0b054e84ca1b4ba0cb79667c8f
                        • Instruction ID: 4e21500b3bdd887ee5dbf4ceb55d7de46945aa43b9098a3c1fce1356c3e21a47
                        • Opcode Fuzzy Hash: 13eb290df96c1772576405ddd6b52888a725fd0b054e84ca1b4ba0cb79667c8f
                        • Instruction Fuzzy Hash: 3D11D671A083498FCB05EB68D4506BEBBB1EF87314B2580AAD408DB352EB309D06C7D5
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fa901188ac3e7a42654f29f5deb7725960f30a55b96d8ebe00f17c0559d81539
                        • Instruction ID: 25f3f390f5458793d838be89c0a460a32bb51bd93e267add7503740d849c18c7
                        • Opcode Fuzzy Hash: fa901188ac3e7a42654f29f5deb7725960f30a55b96d8ebe00f17c0559d81539
                        • Instruction Fuzzy Hash: 1F81D3705023568FCB06FF68EC50AAD7BB1FB85301B1049A9E0459B3B9DB74295ACFA1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ea53d7f50b12762615a564bb6524c7ed6392615b1127a303e9de814281b706fc
                        • Instruction ID: e7c80a075ac2f00a4cc974e8ea6f3c5da84b675bd15cca5bd8ac741a83171699
                        • Opcode Fuzzy Hash: ea53d7f50b12762615a564bb6524c7ed6392615b1127a303e9de814281b706fc
                        • Instruction Fuzzy Hash: 7E51F371A002158FCB18AF7DC8942BE7BF6EFC9204B24846EC409DB395EB359C42CB95
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1892135b99acc7385ede655ab751139000cfe9aafd7006f9ffa384c1be5a6a96
                        • Instruction ID: d7d7f1be880712861588e0a11d0abcc82da4b7054aecc2e194bdffd8532c5368
                        • Opcode Fuzzy Hash: 1892135b99acc7385ede655ab751139000cfe9aafd7006f9ffa384c1be5a6a96
                        • Instruction Fuzzy Hash: 3B517374601716DFCB09FF69EC54AAD7BB2FB84301B0049A9E00597378DBB42956CFA1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b866689d4023f2edf84b9cc7a64727e676fab10d0e29f845806cd3cb0cb9a0b2
                        • Instruction ID: 5b4e7dbceed03a4a7c729ec31abc6dd30ca804ae69e0d8239cc131ea8cd61ca6
                        • Opcode Fuzzy Hash: b866689d4023f2edf84b9cc7a64727e676fab10d0e29f845806cd3cb0cb9a0b2
                        • Instruction Fuzzy Hash: 654139B0D003498FCB10EFA9D944AAEBBF5FF89710F60452DD44AB7381E77469058B61
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 332163d935e81805b7f3bebed771d6799c5623801bfb07e14043a881e331e42b
                        • Instruction ID: 6e3f0c932faf3f3b083f9a406e2190a9689fc20984b5b42378b88214c08785a8
                        • Opcode Fuzzy Hash: 332163d935e81805b7f3bebed771d6799c5623801bfb07e14043a881e331e42b
                        • Instruction Fuzzy Hash: F6512075A00609CFCB14EF68C4849AABBF5FF88310B14C669D809DB345EB74E955CFA0
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6f6e730b6fd9864e04e371e141776007aed64b43e1088a829cd5b8c13606804a
                        • Instruction ID: d7e7c04ac780f90864878fc2f6e26a385acf34e0338b882baa7180675f9dca54
                        • Opcode Fuzzy Hash: 6f6e730b6fd9864e04e371e141776007aed64b43e1088a829cd5b8c13606804a
                        • Instruction Fuzzy Hash: BE41D47460A3908FD706EF38C454A657BA1EF97304B1484EEE145CF6A7EB64DC0ACBA1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 12af5197df13f6a2ded0c2d9249557316558fa41d9237f74002cf0b6cea28c2a
                        • Instruction ID: 3c883066abcd46041af12d315d71e77f3f9496966ee021e7c60530daf913654d
                        • Opcode Fuzzy Hash: 12af5197df13f6a2ded0c2d9249557316558fa41d9237f74002cf0b6cea28c2a
                        • Instruction Fuzzy Hash: 7C419B78A80744CFE705DF65E448BAA7BBAFB49305F108879E9018B3C5DB309929CF60
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0260fba666453702a18bf3e298edf46b80844880603e0b98fc5e193e30f49a34
                        • Instruction ID: e49c149745592a93e252b3fbce9a3f8d10fa83b0ab1fd24178b822112b7bfb66
                        • Opcode Fuzzy Hash: 0260fba666453702a18bf3e298edf46b80844880603e0b98fc5e193e30f49a34
                        • Instruction Fuzzy Hash: C7319E786012149FC704FF28C454A6A77A6FFC5705F548969E10A8F3A9EFB1EC05CBA0
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 940d6135a004c8c35a442dea3e0a98ad6ec261f1da613c3ba5900b46939524d8
                        • Instruction ID: b9533adb0e0524fff08f761e53b985300956ec6fa02ab7745a858d2075a8e8dc
                        • Opcode Fuzzy Hash: 940d6135a004c8c35a442dea3e0a98ad6ec261f1da613c3ba5900b46939524d8
                        • Instruction Fuzzy Hash: 9A41E2B1D00309CBDB14EFA9C984AEDBBB5FF48304F648429D409BB254D7756A46CF90
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 50cdfe366fdf0e8558d7cf885f8ab2b0a1c48b98f2204557c85f722cd1d982f9
                        • Instruction ID: 46527e9e6d4821cd0d3d92837400c7bb2a70c01ceac3f409ffa208e66554a3fa
                        • Opcode Fuzzy Hash: 50cdfe366fdf0e8558d7cf885f8ab2b0a1c48b98f2204557c85f722cd1d982f9
                        • Instruction Fuzzy Hash: 0F41B0B1D003098BDB14EFAAC984ADEBBB5AF49304F648029D409BB255D7756A45CF90
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a6c79c05016045badd7b522fd02ca32de97707051df8894014f57b722f41d155
                        • Instruction ID: 114c2d15a7fded2b94eb01b98c20f3534c9da71cd2720116ed01897662df2eac
                        • Opcode Fuzzy Hash: a6c79c05016045badd7b522fd02ca32de97707051df8894014f57b722f41d155
                        • Instruction Fuzzy Hash: A531C1342052509FC706EF38C454A697BE2EF82704F1488ADE049CF3A6DB71EC0ACBA1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e0a977c17cfd29ffa45770a5a144bada0bd10516278372b3c531d43f286b4a51
                        • Instruction ID: 1d314d6c5212064a700e795476fc9559cac64f2a88358b5af002c72c6f77885b
                        • Opcode Fuzzy Hash: e0a977c17cfd29ffa45770a5a144bada0bd10516278372b3c531d43f286b4a51
                        • Instruction Fuzzy Hash: 7011C271A0464A8FCB05EB68D4506BEBBB1EF87310B1181AAD408DB352EB30DD01CBD1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 446a66e903e469829b35ba5ba8201e97afcc3ff8361bfdf775954d18f30d497e
                        • Instruction ID: 1a64aab5ed272dbbea4febe84b48c4438b699dbcfa754c240d55f32a1af216f0
                        • Opcode Fuzzy Hash: 446a66e903e469829b35ba5ba8201e97afcc3ff8361bfdf775954d18f30d497e
                        • Instruction Fuzzy Hash: 1931D975A043458FC701EF78C8045AABBE6EFD5314795C8ADD00AEB751EB71EC098BA1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3897b9875999202d54ebff0af2acedef6e30584add7a703944167a1d5497ff47
                        • Instruction ID: 994949ea4b965ca26cac515efbc0007b850e5b83825bed39cf95b7f11671747f
                        • Opcode Fuzzy Hash: 3897b9875999202d54ebff0af2acedef6e30584add7a703944167a1d5497ff47
                        • Instruction Fuzzy Hash: EB210436A042588FCB009FA9D894AEEBFF5EF88220F38815AE454D7252C735DC12DB60
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b020e433d95058596f15c2f95e484843756139a08b109ddf14cb52d636813196
                        • Instruction ID: 4cc8a5fa4aeaec208ba446554733a0e17f35bef9f0db241793b6e05da1ee2823
                        • Opcode Fuzzy Hash: b020e433d95058596f15c2f95e484843756139a08b109ddf14cb52d636813196
                        • Instruction Fuzzy Hash: 6631F2B0D012489FDB24EF99D588B9EBBF5EF49310F248069E408AB351CB74A945CBA0
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bff977e602853685acbca9d4f3b30952f75f818c3dfd61f8b8136a3676f57bf6
                        • Instruction ID: 494ece20f71a7a00febd843c0139217b27b76ceb12bc4eb8b0b58172ea2cfb71
                        • Opcode Fuzzy Hash: bff977e602853685acbca9d4f3b30952f75f818c3dfd61f8b8136a3676f57bf6
                        • Instruction Fuzzy Hash: 743101B0D012489FDB14EF98D584BADBBF5EF49300F248069E409BB3A5CB74A945CFA1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37a30cfc4d2ef01c558af8e9a5bd376b8b23c4b974cd9229c4eaefd53a51b41c
                        • Instruction ID: 995ff8fdf8ab2ab25a4b5b351e2a1d9996530c495c53efd3727159fc605d8772
                        • Opcode Fuzzy Hash: 37a30cfc4d2ef01c558af8e9a5bd376b8b23c4b974cd9229c4eaefd53a51b41c
                        • Instruction Fuzzy Hash: D611E271A0838A8FCB02EB68D4106BEBFB1EF87310B1581EAC448DB352E7309D05C7A1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 25c30584f4f8098b6afa5eba4696accf3311cba66f2b37642f05589466921e8a
                        • Instruction ID: 3c142273e3b4e14f955b453ebb65128ab908240f6bf46cca9becb6519b86dc80
                        • Opcode Fuzzy Hash: 25c30584f4f8098b6afa5eba4696accf3311cba66f2b37642f05589466921e8a
                        • Instruction Fuzzy Hash: 4E31E1B0D012489FDB24EF99D584B9DBFF5EF49310F248069E409BB355CB74A949CBA0
                        Memory Dump Source
                        • Source File: 00000003.00000002.4166763108.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_d8d000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f2acbc8a75ba7a8668ec88e107a4b00da47d921838bbdb97621387d82a211fc7
                        • Instruction ID: 0580d47bdd07e4586f757dbaa9a0eda1f822f82f99f437385d0420156a1327e4
                        • Opcode Fuzzy Hash: f2acbc8a75ba7a8668ec88e107a4b00da47d921838bbdb97621387d82a211fc7
                        • Instruction Fuzzy Hash: F1210471604204AFCB10EF14D9C4B26BBA6FB94324F24C569D8490B2C1C33AD847CB72
                        Memory Dump Source
                        • Source File: 00000003.00000002.4166763108.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_d8d000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 20bdae816542e9fa65e2b12b34e39c95928043f13680c96d6cadd5c8f13b459a
                        • Instruction ID: d4d1f5e7ec769ad823c21493ddb39483eb1e3f4e131be27a0016810c5147c8a1
                        • Opcode Fuzzy Hash: 20bdae816542e9fa65e2b12b34e39c95928043f13680c96d6cadd5c8f13b459a
                        • Instruction Fuzzy Hash: E621F5B5604304AFDB04EF14D5C4B26BBA6FB94314F24CA6DD84A4B2C6C736D806CB71
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9de56c5e8de45daaf2745fb160b83b24ff0e2219c462979f1e8ef41f21b77f64
                        • Instruction ID: 0e48c0d2a95dfbaec5e1bc95f144a8e3b691877a900b22746bd25a7c8eb25035
                        • Opcode Fuzzy Hash: 9de56c5e8de45daaf2745fb160b83b24ff0e2219c462979f1e8ef41f21b77f64
                        • Instruction Fuzzy Hash: B231EFB0D012489FDB14DFA9C584B9DBBF5EF49310F248069E409AB355CB74A945CB94
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1efc52a663a5f4dd3e35cc14ee4fb71ea44dd8e0a57db851560b164ee68e3812
                        • Instruction ID: 0e0b5516b72ae948fd87c094faa7f351c677909e95aef2f82463bed0458b5e52
                        • Opcode Fuzzy Hash: 1efc52a663a5f4dd3e35cc14ee4fb71ea44dd8e0a57db851560b164ee68e3812
                        • Instruction Fuzzy Hash: 2C11B271A0934A8FCB06EB68D4506BEBFB5EF87310B1581EAC449DB352E7309D05C7A1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4166763108.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_d8d000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 50cd355172c118af9de3d1ca3cbe6d91db4e982bc83c1944bc5dd3f0e7537be8
                        • Instruction ID: 45eedba1f64b111f71880631d247a6b82fec3d5ad71324a051dadb5c5b6f7d07
                        • Opcode Fuzzy Hash: 50cd355172c118af9de3d1ca3cbe6d91db4e982bc83c1944bc5dd3f0e7537be8
                        • Instruction Fuzzy Hash: 272192755093C08FCB12DF20D994715BF71EB46314F29C1EAD8898B6D3C33A980ACB62
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 55a43cbb1566ef6b8a17809d0046e9a6d3d1fb77f775e318708f084f25fd6ac2
                        • Instruction ID: 86aa31848eead0d2c0aa91e5082468e56fe2a3a0ce857c64bbf5a3cec81a3479
                        • Opcode Fuzzy Hash: 55a43cbb1566ef6b8a17809d0046e9a6d3d1fb77f775e318708f084f25fd6ac2
                        • Instruction Fuzzy Hash: 0011B271A0824A9FCB06EB68D4506BEBFB1EF87314B2581AAD448DB352DB309905C796
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3d826caf1c29ae0a15336ff4b819360548695432399d19ef39d07492e33abef7
                        • Instruction ID: a205c67fc7ebe5f11975c5c991bc471fe21d5548cbc7b10413fe0a965c375680
                        • Opcode Fuzzy Hash: 3d826caf1c29ae0a15336ff4b819360548695432399d19ef39d07492e33abef7
                        • Instruction Fuzzy Hash: 3621E93CAC1650CFE305AF21E54CA6937AAF789705F10C879AE114B7C8DB749929CF20
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: daac47e9076205eb6c8acab9080d6e701ef4ccd4ee2b6448349ea459e5c26355
                        • Instruction ID: 277700c922f8dc4fe8d2b5cef5979776c57d605b5ecce49e30f4b49617e00ca0
                        • Opcode Fuzzy Hash: daac47e9076205eb6c8acab9080d6e701ef4ccd4ee2b6448349ea459e5c26355
                        • Instruction Fuzzy Hash: 9811363060A7D49FCB039B28D4545AABFB0EF86310B1540ABE9409B392C7749815CB90
                        Memory Dump Source
                        • Source File: 00000003.00000002.4166763108.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_d8d000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                        • Instruction ID: 61d051ba3cbba0ad7ba32b2062b0edca58b52d3c80a7f0037abb3adc765d7da7
                        • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                        • Instruction Fuzzy Hash: 6311DD75904280DFDB01DF14D5C4B15BBB2FB88324F28C6ADD8094B296C33AD80ACB61
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a97c6930c59c1b00f0318f620db214bbd7c87c9046a57fe5696cd0a36e89d0ae
                        • Instruction ID: f96d9b060fbd9bcc564cc9d0a6259e57b36e87eb72f235543d1bc5f52ef1a578
                        • Opcode Fuzzy Hash: a97c6930c59c1b00f0318f620db214bbd7c87c9046a57fe5696cd0a36e89d0ae
                        • Instruction Fuzzy Hash: DD014471A101449FDB45EF75D8885BABBF6EBD4314738C4AAD40CCB256DA34C946CB60
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e780241f56bc08247d1cad249482dc71c8ea8e6b506fa2c40b8bc0d614d07a79
                        • Instruction ID: 01870fe569b59b193d629c11c38f1c2c075c04361730a3ceca269827d6035b26
                        • Opcode Fuzzy Hash: e780241f56bc08247d1cad249482dc71c8ea8e6b506fa2c40b8bc0d614d07a79
                        • Instruction Fuzzy Hash: 7D111B35901209DFDB10DFAAC4949AEBFF5EF4D220F248199E958AB361CB309D40CBA4
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: de1660cf00ca24521b19862c8d8257b9f9c4fd529622153c557783c5ae96ee21
                        • Instruction ID: 10a17cc4ea88fdfe069dab096f14f94b776b91e6a58e04481d4a150835849ddf
                        • Opcode Fuzzy Hash: de1660cf00ca24521b19862c8d8257b9f9c4fd529622153c557783c5ae96ee21
                        • Instruction Fuzzy Hash: 3E010875A00209DFDB10DFAAC4949AEBBF5EF4D320F24C159E929A7361CA309D40DFA4
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f4bbb94eab97015d0f0957f4723830656bf90e53bce05cc7f77a8d8006c774dc
                        • Instruction ID: db369469929feaff05db04454c430486068117e2d73c21695e6a322e8a00c4e6
                        • Opcode Fuzzy Hash: f4bbb94eab97015d0f0957f4723830656bf90e53bce05cc7f77a8d8006c774dc
                        • Instruction Fuzzy Hash: 37F02B3AB4053007C315AEACA4043BEB78DD7816A8F1DC06EE64DDBBC5E661DC164BE0
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 931a30f49553aa280df22e51169dcaa5fbaa5dc7ca127fd5e0843a44eaef9e85
                        • Instruction ID: 81c4161932f2eb61533e6410f182a480822294ab1c38e3c6ee52cd94e1db6c98
                        • Opcode Fuzzy Hash: 931a30f49553aa280df22e51169dcaa5fbaa5dc7ca127fd5e0843a44eaef9e85
                        • Instruction Fuzzy Hash: BAF02BB77041505FC3015F6DD854866BFE9EFD926131940ABF609CB362EA71EC15C760
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 930d709d287b601542d8f1a326ef2c8e2f51ab2a42e3172462304d7226a3844c
                        • Instruction ID: db7bbd6adcc9111e3fca7328031895c03269777d27e52b0c0dd1799d0d1e5eaa
                        • Opcode Fuzzy Hash: 930d709d287b601542d8f1a326ef2c8e2f51ab2a42e3172462304d7226a3844c
                        • Instruction Fuzzy Hash: DBF027342046949FDB03BFA9C80876A3F96EF82314B6448E5EB458F296D921DC2687C1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3962db36f2a5275f83fb6484ab8792c1d8d2a2dacd6cd28c012277b0086e7276
                        • Instruction ID: eb3a02e42acaabb2fd77a3cc5341d00abf50b75afdc3dd27caaa8fe5108c6f20
                        • Opcode Fuzzy Hash: 3962db36f2a5275f83fb6484ab8792c1d8d2a2dacd6cd28c012277b0086e7276
                        • Instruction Fuzzy Hash: 29F0A771546604EFC701EFA8DD0086DBBB6EB8A30176085DAE805D7351EB305E109B71
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e6087c09c61395401278708888e2cb26e2fe28f812e655dcb7f2a91d6a13d1a8
                        • Instruction ID: 4ffa6f94aedc32a13d8c17cc703077c4daa4850b3524e0657f8b08508a9e0120
                        • Opcode Fuzzy Hash: e6087c09c61395401278708888e2cb26e2fe28f812e655dcb7f2a91d6a13d1a8
                        • Instruction Fuzzy Hash: 84F020346082A05FC3139F6890082697FAEDF47648B0E80D9D988CFBC7C321E8568BE1
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 30ac742ff112b1285e0a32b47b48e513ec8fbfc0f2dd45848c4019fce3845042
                        • Instruction ID: e7730277865b9e4f8c14d1498c11be81fa3f626b4938cfd3e0d26285f52b2d06
                        • Opcode Fuzzy Hash: 30ac742ff112b1285e0a32b47b48e513ec8fbfc0f2dd45848c4019fce3845042
                        • Instruction Fuzzy Hash: 1AE04F7A7005205BC3049F5EE848D5BBBEEEBCD760715812AF609C7361D9B2EC158BB0
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 0f03e56bd015c63cae1052f9b517b58b56479f0fd80b9f2834d26c45e386aa4a
                        • Instruction ID: c5071afb14b012e2a21f9f70bb08166bd6a0c1479a8594477fcf2e56df74f4a5
                        • Opcode Fuzzy Hash: 0f03e56bd015c63cae1052f9b517b58b56479f0fd80b9f2834d26c45e386aa4a
                        • Instruction Fuzzy Hash: AAE0C2393001549BDB01B76AD808A1A3B5BEB8535CF058064E60A8B284DA36D8359BD5
                        Memory Dump Source
                        • Source File: 00000003.00000002.4167015486.00000000026C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_26c0000_cvtres.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6b8c08ab411099c7542ecad4eec0211be3fee4dfc20555b2ec4f148278057c9e
                        • Instruction ID: 693a766d644631e3b70ef325df19821c3dc37d70612a108b4e4406dfb444fb2a
                        • Opcode Fuzzy Hash: 6b8c08ab411099c7542ecad4eec0211be3fee4dfc20555b2ec4f148278057c9e
                        • Instruction Fuzzy Hash: 9FE04F74A02208EFC700FFA4E90145CBBB6EB493017108595EC0893314DB311F209BA1