Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
uLFOeGZaJS.exe

Overview

General Information

Sample name:uLFOeGZaJS.exe
renamed because original name is a hash value
Original sample name:455c4725e43d0a0336232373e7ff05968a4ce178ec845263237880781c4456ea.exe
Analysis ID:1567463
MD5:ec02b1d48f34dfa40ef212f737738d5e
SHA1:644d63dcc57b3a82727122a152e9db6a1a97101f
SHA256:455c4725e43d0a0336232373e7ff05968a4ce178ec845263237880781c4456ea
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • uLFOeGZaJS.exe (PID: 1264 cmdline: "C:\Users\user\Desktop\uLFOeGZaJS.exe" MD5: EC02B1D48F34DFA40EF212F737738D5E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "admin@ercolina-usa.com", "Password": ",%EVY$JU0=lu"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
uLFOeGZaJS.exeJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    uLFOeGZaJS.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      uLFOeGZaJS.exeJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        uLFOeGZaJS.exeINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
        • 0x35fef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
        • 0x36061:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
        • 0x360eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
        • 0x3617d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
        • 0x361e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
        • 0x36259:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
        • 0x362ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
        • 0x3637f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
        uLFOeGZaJS.exeMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
        • 0x33095:$s2: GetPrivateProfileString
        • 0x326cb:$s3: get_OSFullName
        • 0x33e9d:$s5: remove_Key
        • 0x34033:$s5: remove_Key
        • 0x34f6a:$s6: FtpWebRequest
        • 0x35fd1:$s7: logins
        • 0x36543:$s7: logins
        • 0x39220:$s7: logins
        • 0x39300:$s7: logins
        • 0x3adcd:$s7: logins
        • 0x39e9a:$s9: 1.85 (Hash, version 2, native byte-order)

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000002.4531022648.000000000310D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000000.2077701139.0000000000C92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000000.00000000.2077701139.0000000000C92000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              00000000.00000002.4531022648.00000000030E5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                00000000.00000002.4531022648.00000000030E5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  Click to see the 2 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.uLFOeGZaJS.exe.c90000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.0.uLFOeGZaJS.exe.c90000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      0.0.uLFOeGZaJS.exe.c90000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                        0.0.uLFOeGZaJS.exe.c90000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                        • 0x35fef:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                        • 0x36061:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                        • 0x360eb:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                        • 0x3617d:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                        • 0x361e7:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                        • 0x36259:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                        • 0x362ef:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                        • 0x3637f:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                        0.0.uLFOeGZaJS.exe.c90000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                        • 0x33095:$s2: GetPrivateProfileString
                        • 0x326cb:$s3: get_OSFullName
                        • 0x33e9d:$s5: remove_Key
                        • 0x34033:$s5: remove_Key
                        • 0x34f6a:$s6: FtpWebRequest
                        • 0x35fd1:$s7: logins
                        • 0x36543:$s7: logins
                        • 0x39220:$s7: logins
                        • 0x39300:$s7: logins
                        • 0x3adcd:$s7: logins
                        • 0x39e9a:$s9: 1.85 (Hash, version 2, native byte-order)

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        No Suricata rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: uLFOeGZaJS.exeAvira: detected
                        Found malware configuration
                        Source: uLFOeGZaJS.exeMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.ercolina-usa.com", "Username": "admin@ercolina-usa.com", "Password": ",%EVY$JU0=lu"}
                        Multi AV Scanner detection for submitted file
                        Source: uLFOeGZaJS.exeReversingLabs: Detection: 78%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: uLFOeGZaJS.exeJoe Sandbox ML: detected
                        Source: uLFOeGZaJS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2
                        Source: uLFOeGZaJS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: uLFOeGZaJS.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.uLFOeGZaJS.exe.c90000.0.unpack, type: UNPACKEDPE
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 192.254.225.136 192.254.225.136
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: api.ipify.org
                        Source: unknownDNS query: name: ip-api.com
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                        Source: global trafficDNS traffic detected: DNS query: ip-api.com
                        Source: global trafficDNS traffic detected: DNS query: ftp.ercolina-usa.com
                        Source: uLFOeGZaJS.exe, 00000000.00000002.4531022648.000000000310D000.00000004.00000800.00020000.00000000.sdmp, uLFOeGZaJS.exe, 00000000.00000002.4531022648.0000000003286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ercolina-usa.com
                        Source: uLFOeGZaJS.exe, 00000000.00000002.4531022648.000000000310D000.00000004.00000800.00020000.00000000.sdmp, uLFOeGZaJS.exe, 00000000.00000002.4531022648.0000000003286000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.ercolina-usa.com
                        Source: uLFOeGZaJS.exe, 00000000.00000002.4531022648.00000000030D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: uLFOeGZaJS.exeString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: uLFOeGZaJS.exe, 00000000.00000002.4531022648.0000000003081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: uLFOeGZaJS.exeString found in binary or memory: https://account.dyn.com/
                        Source: uLFOeGZaJS.exeString found in binary or memory: https://api.ipify.org
                        Source: uLFOeGZaJS.exe, 00000000.00000002.4531022648.0000000003081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                        Source: uLFOeGZaJS.exe, 00000000.00000002.4531022648.0000000003081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                        Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.5:49704 version: TLS 1.2

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: uLFOeGZaJS.exe, BZbr69Oq62w.cs.Net Code: vJoJ
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\uLFOeGZaJS.exeJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: uLFOeGZaJS.exe, type: SAMPLEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: uLFOeGZaJS.exe, type: SAMPLEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                        Source: 0.0.uLFOeGZaJS.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.0.uLFOeGZaJS.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_013541B00_2_013541B0
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_0135B3D00_2_0135B3D0
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_01354A800_2_01354A80
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_0135AC080_2_0135AC08
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_0135EE180_2_0135EE18
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_01353E680_2_01353E68
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DC6F100_2_06DC6F10
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DC1C800_2_06DC1C80
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DC5A2C0_2_06DC5A2C
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DC62480_2_06DC6248
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DC623B0_2_06DC623B
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DC6F300_2_06DC6F30
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DDAED00_2_06DDAED0
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DD24300_2_06DD2430
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DD62880_2_06DD6288
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DD52700_2_06DD5270
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DD7A100_2_06DD7A10
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DDC2300_2_06DDC230
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DDE4580_2_06DDE458
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DD73300_2_06DD7330
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DD00400_2_06DD0040
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DD00070_2_06DD0007
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_06DD59900_2_06DD5990
                        Source: uLFOeGZaJS.exe, 00000000.00000000.2077736795.0000000000CD0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename8d205da5-a06f-41c4-923e-b97a14abb967.exe4 vs uLFOeGZaJS.exe
                        Source: uLFOeGZaJS.exe, 00000000.00000002.4530485791.000000000136E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs uLFOeGZaJS.exe
                        Source: uLFOeGZaJS.exe, 00000000.00000002.4530112044.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs uLFOeGZaJS.exe
                        Source: uLFOeGZaJS.exeBinary or memory string: OriginalFilename8d205da5-a06f-41c4-923e-b97a14abb967.exe4 vs uLFOeGZaJS.exe
                        Source: uLFOeGZaJS.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: uLFOeGZaJS.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: uLFOeGZaJS.exe, type: SAMPLEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                        Source: 0.0.uLFOeGZaJS.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.0.uLFOeGZaJS.exe.c90000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                        Source: uLFOeGZaJS.exe, hcbDrTLwTC.csCryptographic APIs: 'TransformFinalBlock'
                        Source: uLFOeGZaJS.exe, CMQvPoq8cy.csCryptographic APIs: 'TransformFinalBlock'
                        Source: uLFOeGZaJS.exe, e5d0T5Np.csCryptographic APIs: 'TransformFinalBlock'
                        Source: uLFOeGZaJS.exe, 71JxQ8.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                        Source: uLFOeGZaJS.exe, CnG3o.csCryptographic APIs: 'TransformFinalBlock'
                        Source: uLFOeGZaJS.exe, 2FAFIfKp.csCryptographic APIs: 'CreateDecryptor'
                        Source: uLFOeGZaJS.exe, gdOsx.csCryptographic APIs: 'TransformFinalBlock'
                        Source: uLFOeGZaJS.exe, gdOsx.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: uLFOeGZaJS.exe, tG6Nh.csCryptographic APIs: 'TransformFinalBlock'
                        Source: uLFOeGZaJS.exe, tG6Nh.csCryptographic APIs: 'TransformFinalBlock'
                        Source: uLFOeGZaJS.exeBinary string: ID: 0x{0:X}qSize of the SerializedPropertyStore is less than 8 ({0})/StoreSize: {0} (0x{0X})3\Device\LanmanRedirector\[Failed to retrieve system handle information.
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@3/3
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeMutant created: NULL
                        Source: uLFOeGZaJS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: uLFOeGZaJS.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: uLFOeGZaJS.exeReversingLabs: Detection: 78%
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: uLFOeGZaJS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: uLFOeGZaJS.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_01350C55 push edi; retf 0_2_01350C7A
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: uLFOeGZaJS.exeBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeMemory allocated: 16C0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599711Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599609Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599500Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599389Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599282Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599157Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599032Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598907Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598782Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598672Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598563Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598438Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598313Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598188Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598063Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597953Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597844Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597719Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597610Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597485Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597359Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597216Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597107Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596978Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596875Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596762Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596656Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596547Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596438Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 300000Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299891Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299781Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299672Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299562Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299453Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299344Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299219Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299109Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299000Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298891Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298781Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298672Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298563Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298438Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298313Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298202Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298082Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 297968Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 297858Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWindow / User API: threadDelayed 2062Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWindow / User API: threadDelayed 7775Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep count: 37 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -600000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6276Thread sleep count: 2062 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -599875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6276Thread sleep count: 7775 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -599711s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -599609s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -599500s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -599389s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -599282s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -599157s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -599032s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -598907s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -598782s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -598672s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -598563s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -598438s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -598313s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -598188s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -598063s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -597953s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -597844s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -597719s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -597610s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -597485s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -597359s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -597216s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -597107s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -596978s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -596875s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -596762s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -596656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -596547s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -596438s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -300000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -299891s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -299781s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -299672s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -299562s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -299453s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -299344s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -299219s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -299109s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -299000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -298891s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -298781s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -298672s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -298563s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -298438s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -298313s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -298202s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -298082s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -297968s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exe TID: 6088Thread sleep time: -297858s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599711Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599609Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599500Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599389Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599282Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599157Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 599032Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598907Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598782Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598672Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598563Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598438Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598313Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598188Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 598063Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597953Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597844Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597719Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597610Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597485Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597359Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597216Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 597107Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596978Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596875Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596762Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596656Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596547Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 596438Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 300000Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299891Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299781Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299672Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299562Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299453Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299344Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299219Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299109Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 299000Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298891Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298781Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298672Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298563Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298438Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298313Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298202Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 298082Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 297968Jump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeThread delayed: delay time: 297858Jump to behavior
                        Source: uLFOeGZaJS.exe, 00000000.00000002.4531022648.00000000030E5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                        Source: uLFOeGZaJS.exeBinary or memory string: vmware
                        Source: uLFOeGZaJS.exeBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                        Source: uLFOeGZaJS.exe, 00000000.00000002.4530485791.0000000001436000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeCode function: 0_2_01357F59 CheckRemoteDebuggerPresent,0_2_01357F59
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeQueries volume information: C:\Users\user\Desktop\uLFOeGZaJS.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: uLFOeGZaJS.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.uLFOeGZaJS.exe.c90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4531022648.000000000310D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2077701139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4531022648.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: uLFOeGZaJS.exe PID: 1264, type: MEMORYSTR
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\uLFOeGZaJS.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: uLFOeGZaJS.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.uLFOeGZaJS.exe.c90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2077701139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4531022648.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: uLFOeGZaJS.exe PID: 1264, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: uLFOeGZaJS.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.uLFOeGZaJS.exe.c90000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4531022648.000000000310D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2077701139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4531022648.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: uLFOeGZaJS.exe PID: 1264, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		1
                        Query Registry                        		Remote Services1
                        Email Collection                        		11
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts261
                        Virtualization/Sandbox Evasion                        		21
                        Input Capture                        		531
                        Security Software Discovery                        		Remote Desktop Protocol21
                        Input Capture                        		1
                        Ingress Tool Transfer                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                        Deobfuscate/Decode Files or Information                        		1
                        Credentials in Registry                        		1
                        Process Discovery                        		SMB/Windows Admin Shares11
                        Archive Collected Data                        		2
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                        Obfuscated Files or Information                        		NTDS261
                        Virtualization/Sandbox Evasion                        		Distributed Component Object Model2
                        Data from Local System                        		13
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets1
                        Application Window Discovery                        		SSH1
                        Clipboard Data                        		Fallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
                        System Network Configuration Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
                        File and Directory Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem34
                        System Information Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        uLFOeGZaJS.exe79%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                        uLFOeGZaJS.exe100%AviraHEUR/AGEN.1305739
                        uLFOeGZaJS.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        No Antivirus matches

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        ercolina-usa.com
                        		192.254.225.136
                        		truetrue
                          		unknown
                          api.ipify.org
                          		172.67.74.152
                          		truefalse
                            		high
                            ip-api.com
                            		208.95.112.1
                            		truefalse
                              		high
                              ftp.ercolina-usa.com
                              		unknown
                              		unknowntrue
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://api.ipify.org/false
                                  		high
                                  http://ip-api.com/line/?fields=hostingfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://api.ipify.orguLFOeGZaJS.exefalse
                                      		high
                                      https://account.dyn.com/uLFOeGZaJS.exefalse
                                        		high
                                        https://api.ipify.org/tuLFOeGZaJS.exe, 00000000.00000002.4531022648.0000000003081000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameuLFOeGZaJS.exe, 00000000.00000002.4531022648.0000000003081000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://ftp.ercolina-usa.comuLFOeGZaJS.exe, 00000000.00000002.4531022648.000000000310D000.00000004.00000800.00020000.00000000.sdmp, uLFOeGZaJS.exe, 00000000.00000002.4531022648.0000000003286000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ercolina-usa.comuLFOeGZaJS.exe, 00000000.00000002.4531022648.000000000310D000.00000004.00000800.00020000.00000000.sdmp, uLFOeGZaJS.exe, 00000000.00000002.4531022648.0000000003286000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://ip-api.comuLFOeGZaJS.exe, 00000000.00000002.4531022648.00000000030D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  192.254.225.136
                                                  		ercolina-usa.comUnited States
                                                  		46606UNIFIEDLAYER-AS-1UStrue
                                                  208.95.112.1
                                                  		ip-api.comUnited States
                                                  		53334TUT-ASUSfalse
                                                  172.67.74.152
                                                  		api.ipify.orgUnited States
                                                  		13335CLOUDFLARENETUSfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1567463
                                                  Start date and time:2024-12-03 15:59:10 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 6m 50s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:4
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:uLFOeGZaJS.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:455c4725e43d0a0336232373e7ff05968a4ce178ec845263237880781c4456ea.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@1/0@3/3
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 88
                                                  • Number of non-executed functions: 13
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                  • VT rate limit hit for: uLFOeGZaJS.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  10:00:08API Interceptor9767068x Sleep call for process: uLFOeGZaJS.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  192.254.225.136RICHIESTA D'OFFERTA.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                    QUOTATION#09678.exeGet hashmaliciousAgentTeslaBrowse
                                                      PURCHASE SPCIFICIATIONS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        LISTA DE COTIZACIONES.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          QUOTATION#5400.exeGet hashmaliciousAgentTeslaBrowse
                                                            QUOTATION#2800-QUANTUM MACTOOLS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              QUOTATION#2800-QUANTUM MACTOOLS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                2JHGWjmJ46.exeGet hashmaliciousAgentTeslaBrowse
                                                                  COTIZACI#U00d3N#08673.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                    vD6qU34v9S.exeGet hashmaliciousAgentTeslaBrowse
                                                                      208.95.112.1SANTANDER%20AUDITORIA.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      Pago devuelto #.Documentos#97875657896786756457678568.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      PURCHASE_ORDER_120224.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      Itnaledi Salary_ Payslip _ Updates4C79949D7C31_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • ip-api.com/json/?fields=status,country,regionName,city,query
                                                                      file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                      • ip-api.com/json/
                                                                      #U00d6deme.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      tDLozbx48F.exeGet hashmaliciousGurcu StealerBrowse
                                                                      • ip-api.com/line?fields=query,country
                                                                      x9XhRITucw.exeGet hashmaliciousXWormBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      6ox7RfKeE3.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • ip-api.com/line/?fields=hosting
                                                                      1pYgOj4wz8.exeGet hashmaliciousXWormBrowse
                                                                      • ip-api.com/line/?fields=hosting

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      ip-api.comSANTANDER%20AUDITORIA.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      Pago devuelto #.Documentos#97875657896786756457678568.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      PURCHASE_ORDER_120224.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      Itnaledi Salary_ Payslip _ Updates4C79949D7C31_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • 208.95.112.1
                                                                      file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                      • 208.95.112.1
                                                                      #U00d6deme.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                      • 208.95.112.1
                                                                      tDLozbx48F.exeGet hashmaliciousGurcu StealerBrowse
                                                                      • 208.95.112.1
                                                                      x9XhRITucw.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      6ox7RfKeE3.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 208.95.112.1
                                                                      1pYgOj4wz8.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      api.ipify.orgRef#60031796.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      Ref#1550238.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      BuMdSP88Ze.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      SANTANDER%20AUDITORIA.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.13.205
                                                                      main.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.152
                                                                      https://dsiete.co/share.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • 104.26.13.205
                                                                      Content Collaboration Terms.dll.exeGet hashmaliciousLummaC StealerBrowse
                                                                      • 172.67.74.152
                                                                      https://apnasofa.com/episode/index#YmVuQG1pY3Jvc29mdC5jb20==Get hashmaliciousUnknownBrowse
                                                                      • 104.26.13.205
                                                                      Employee_Important_Message.pdfGet hashmaliciousUnknownBrowse
                                                                      • 104.26.12.205
                                                                      l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 104.26.12.205

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      UNIFIEDLAYER-AS-1USBuMdSP88Ze.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 50.87.219.149
                                                                      SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                      • 108.179.253.197
                                                                      PAGAMENTO CREDIT_AGRICOLE.docGet hashmaliciousXWormBrowse
                                                                      • 192.254.232.209
                                                                      fred.htmlGet hashmaliciousUnknownBrowse
                                                                      • 69.49.245.172
                                                                      https://dsiete.co/share.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • 173.254.24.56
                                                                      Po-AD841.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 108.179.234.136
                                                                      V-Mail.msgGet hashmaliciousUnknownBrowse
                                                                      • 69.49.245.172
                                                                      https://protect.checkpoint.com/v2/r01/___https:/vlp6cm34.r.us-east-1.awstrack.me/Q5dmyyux:e7Ke7Kjrfnq.ynintwjuqD.htr*7Kh*7KjOBJBJLTmXFRFSIYBSOlvWZ1QLgoUfHylhY/JnF_riAUpCWczNA0yO_jaB*~*oG6AYM23pBoyDNMJ-PJR-NmPFsN*~*VgZA/PF0HUyICotYzOGFnKvZNBMhC*~*KfYclayEc_La*~*ccZq7wY-S_IKBLwx/KWAAv8MVfzRwNM6LCN8Jigf*~*80C6gkuabRjmLM--7qPAcOAlUFFI__5pCS9Bd6d565556c8b*~*/hi595-9hb*~3*gh-a*~*bg-9bgb-ci5/-b9jf76k5b9g*~*-555555do29l0Y3hHjFJM3POpxyJsMjDY*~*5=957___.YzJ1OndhaXRha2VyZXByaW1hcnk6YzpvOmNkMzFiOWRiNjRlNzYwZWExOWZkZjZlZWU4YmI5NjkyOjc6NjQxYjozOTM5M2Y5MjlmZWNkMGUzMGYzMjUxMGFiZDQ0YjU2Mzg5ODdlNDNlNTAyN2VlYjBmMjQxZjc3Mjg5OGNiMWQxOmg6VDpU%3EGet hashmaliciousUnknownBrowse
                                                                      • 69.49.245.172
                                                                      [EXTERNAL] Fw_ LVW 1201831..emlGet hashmaliciousUnknownBrowse
                                                                      • 69.49.230.198
                                                                      ATT4802.htmlGet hashmaliciousUnknownBrowse
                                                                      • 69.49.245.172
                                                                      TUT-ASUSSANTANDER%20AUDITORIA.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      Pago devuelto #.Documentos#97875657896786756457678568.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      PURCHASE_ORDER_120224.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 208.95.112.1
                                                                      Itnaledi Salary_ Payslip _ Updates4C79949D7C31_pdf.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                      • 208.95.112.1
                                                                      file.exeGet hashmaliciousDiscord Token Stealer, DotStealerBrowse
                                                                      • 208.95.112.1
                                                                      #U00d6deme.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                      • 208.95.112.1
                                                                      tDLozbx48F.exeGet hashmaliciousGurcu StealerBrowse
                                                                      • 208.95.112.1
                                                                      x9XhRITucw.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      6ox7RfKeE3.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                      • 208.95.112.1
                                                                      1pYgOj4wz8.exeGet hashmaliciousXWormBrowse
                                                                      • 208.95.112.1
                                                                      CLOUDFLARENETUSMOaSkQR8WU.xlsxGet hashmaliciousUnknownBrowse
                                                                      • 188.114.97.6
                                                                      Voicemail_+Transcription006332.docxGet hashmaliciousUnknownBrowse
                                                                      • 104.21.34.75
                                                                      Ksl3V3pqZq.xlsGet hashmaliciousUnknownBrowse
                                                                      • 188.114.97.6
                                                                      Voicemail_+Transcription006332.docxGet hashmaliciousUnknownBrowse
                                                                      • 104.17.25.14
                                                                      https://four-shared-field.glitch.me/#admin@average-adjusters.comGet hashmaliciousUnknownBrowse
                                                                      • 172.67.167.75
                                                                      Request for Quote and Collaboration Docs.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 172.67.177.134
                                                                      YQ3PhY2Aeq.exeGet hashmaliciousStealc, VidarBrowse
                                                                      • 104.21.56.70
                                                                      Request for Quote and Collaboration Docs.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 172.67.177.134
                                                                      REQUEST FOR QUOATION AND PRICES.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      • 104.21.67.152
                                                                      Ref#116670.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 172.67.177.134

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      3b5074b1b5d032e5620f69f9f700ff0eVoicemail_+Transcription006332.docxGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.152
                                                                      https://four-shared-field.glitch.me/#admin@average-adjusters.comGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.152
                                                                      Request for Quote and Collaboration Docs.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • 172.67.74.152
                                                                      SplpM1fFkV.exeGet hashmaliciousUnknownBrowse
                                                                      • 172.67.74.152
                                                                      REQUEST FOR QUOATION AND PRICES.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      • 172.67.74.152
                                                                      Ref#116670.exeGet hashmaliciousMassLogger RATBrowse
                                                                      • 172.67.74.152
                                                                      Ref#60031796.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 172.67.74.152
                                                                      IBAN payment confirmation.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      • 172.67.74.152
                                                                      Ref#1550238.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 172.67.74.152
                                                                      BuMdSP88Ze.exeGet hashmaliciousAgentTeslaBrowse
                                                                      • 172.67.74.152

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      No created / dropped files found

                                                                      Static File Info

                                                                      General

                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                      Entropy (8bit):5.210139224741649
                                                                      TrID:
                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                      File name:uLFOeGZaJS.exe
                                                                      File size:267'264 bytes
                                                                      MD5:ec02b1d48f34dfa40ef212f737738d5e
                                                                      SHA1:644d63dcc57b3a82727122a152e9db6a1a97101f
                                                                      SHA256:455c4725e43d0a0336232373e7ff05968a4ce178ec845263237880781c4456ea
                                                                      SHA512:fdb77caad22ad3a5f623e89adc04b52d166312861800bc00cdbcf8c2057c1d0287f939f1f220485e025bf62a39bbb0da79563cf3f7ce5e2d35e852a16349c823
                                                                      SSDEEP:3072:q3eZdlFdd0O7XOMY4I9UrwxYabktx4i25vcF8PUwJD5vje:DdlFdd0O7XOMYb+lNtx4ifF21vvj
                                                                      TLSH:474420037E48EB11E1A87D3792EF6C2413B2B0C71733D60BAF49ABA514516926C7E72D
                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.....................D........... ........@.. ....................................@................................

                                                                      File Icon

                                                                      Icon Hash:6286b244d63270fa

                                                                      Static PE Info

                                                                      General

                                                                      Entrypoint:0x43ed8e
                                                                      Entrypoint Section:.text
                                                                      Digitally signed:false
                                                                      Imagebase:0x400000
                                                                      Subsystem:windows gui
                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                      Time Stamp:0x660FAB85 [Fri Apr 5 07:43:01 2024 UTC]
                                                                      TLS Callbacks:
                                                                      CLR (.Net) Version:
                                                                      OS Version Major:4
                                                                      OS Version Minor:0
                                                                      File Version Major:4
                                                                      File Version Minor:0
                                                                      Subsystem Version Major:4
                                                                      Subsystem Version Minor:0
                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                      Entrypoint Preview

                                                                      Instruction
                                                                      jmp dword ptr [00402000h]
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al
                                                                      add byte ptr [eax], al

                                                                      Data Directories

                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x3ed3c0x4f.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000x4120.rsrc
                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x460000xc.reloc
                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                      Sections

                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                      .text0x20000x3cd940x3ce00b70c08a4efcee775b76e874bac796f42False0.35690451745379875data5.022203459705477IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                      .rsrc0x400000x41200x4200295b1e14b913df111b969cc7d89d188eFalse0.6515151515151515data5.870293684168006IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                      .reloc0x460000xc0x2002334158d2db0d80b65821d7f5f002a9fFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                      Resources

                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                      RT_ICON0x401900x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.7287234042553191
                                                                      RT_ICON0x405f80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.700984990619137
                                                                      RT_ICON0x416a00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.674688796680498
                                                                      RT_GROUP_ICON0x43c480x30data0.8125
                                                                      RT_VERSION0x43c780x2bcdata0.44142857142857145
                                                                      RT_MANIFEST0x43f340x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                      Imports

                                                                      DLLImport
                                                                      mscoree.dll_CorExeMain

                                                                      Network Behavior

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 3, 2024 16:00:07.493429899 CET49704443192.168.2.5172.67.74.152
                                                                      Dec 3, 2024 16:00:07.493474960 CET44349704172.67.74.152192.168.2.5
                                                                      Dec 3, 2024 16:00:07.493544102 CET49704443192.168.2.5172.67.74.152
                                                                      Dec 3, 2024 16:00:07.503782034 CET49704443192.168.2.5172.67.74.152
                                                                      Dec 3, 2024 16:00:07.503797054 CET44349704172.67.74.152192.168.2.5
                                                                      Dec 3, 2024 16:00:08.789182901 CET44349704172.67.74.152192.168.2.5
                                                                      Dec 3, 2024 16:00:08.789385080 CET49704443192.168.2.5172.67.74.152
                                                                      Dec 3, 2024 16:00:08.794919968 CET49704443192.168.2.5172.67.74.152
                                                                      Dec 3, 2024 16:00:08.794940948 CET44349704172.67.74.152192.168.2.5
                                                                      Dec 3, 2024 16:00:08.795214891 CET44349704172.67.74.152192.168.2.5
                                                                      Dec 3, 2024 16:00:08.849224091 CET49704443192.168.2.5172.67.74.152
                                                                      Dec 3, 2024 16:00:08.881093979 CET49704443192.168.2.5172.67.74.152
                                                                      Dec 3, 2024 16:00:08.927340031 CET44349704172.67.74.152192.168.2.5
                                                                      Dec 3, 2024 16:00:09.275743961 CET44349704172.67.74.152192.168.2.5
                                                                      Dec 3, 2024 16:00:09.275821924 CET44349704172.67.74.152192.168.2.5
                                                                      Dec 3, 2024 16:00:09.275953054 CET49704443192.168.2.5172.67.74.152
                                                                      Dec 3, 2024 16:00:09.295954943 CET49704443192.168.2.5172.67.74.152
                                                                      Dec 3, 2024 16:00:09.469701052 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 3, 2024 16:00:09.590003014 CET8049705208.95.112.1192.168.2.5
                                                                      Dec 3, 2024 16:00:09.590121984 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 3, 2024 16:00:09.590430021 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 3, 2024 16:00:09.710522890 CET8049705208.95.112.1192.168.2.5
                                                                      Dec 3, 2024 16:00:10.858158112 CET8049705208.95.112.1192.168.2.5
                                                                      Dec 3, 2024 16:00:10.905597925 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 3, 2024 16:00:11.426704884 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 3, 2024 16:00:11.547081947 CET8049705208.95.112.1192.168.2.5
                                                                      Dec 3, 2024 16:00:11.547138929 CET4970580192.168.2.5208.95.112.1
                                                                      Dec 3, 2024 16:00:12.324433088 CET4970621192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.447952986 CET2149706192.254.225.136192.168.2.5
                                                                      Dec 3, 2024 16:00:12.448121071 CET4970621192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.489531994 CET4970621192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.567338943 CET4970721192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.609745979 CET2149706192.254.225.136192.168.2.5
                                                                      Dec 3, 2024 16:00:12.609828949 CET4970621192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.687392950 CET2149707192.254.225.136192.168.2.5
                                                                      Dec 3, 2024 16:00:12.687484026 CET4970721192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.687800884 CET4970721192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.689344883 CET4970821192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.807729006 CET2149707192.254.225.136192.168.2.5
                                                                      Dec 3, 2024 16:00:12.807956934 CET2149707192.254.225.136192.168.2.5
                                                                      Dec 3, 2024 16:00:12.808016062 CET4970721192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.809451103 CET2149708192.254.225.136192.168.2.5
                                                                      Dec 3, 2024 16:00:12.809525013 CET4970821192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.809741020 CET4970821192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.811260939 CET4970921192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.930046082 CET2149708192.254.225.136192.168.2.5
                                                                      Dec 3, 2024 16:00:12.930102110 CET4970821192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.931329012 CET2149709192.254.225.136192.168.2.5
                                                                      Dec 3, 2024 16:00:12.931406975 CET4970921192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:12.931633949 CET4970921192.168.2.5192.254.225.136
                                                                      Dec 3, 2024 16:00:13.052087069 CET2149709192.254.225.136192.168.2.5
                                                                      Dec 3, 2024 16:00:13.052138090 CET2149709192.254.225.136192.168.2.5
                                                                      Dec 3, 2024 16:00:13.052220106 CET4970921192.168.2.5192.254.225.136

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Dec 3, 2024 16:00:07.330559015 CET5521553192.168.2.51.1.1.1
                                                                      Dec 3, 2024 16:00:07.468245029 CET53552151.1.1.1192.168.2.5
                                                                      Dec 3, 2024 16:00:09.328212023 CET6121253192.168.2.51.1.1.1
                                                                      Dec 3, 2024 16:00:09.466171980 CET53612121.1.1.1192.168.2.5
                                                                      Dec 3, 2024 16:00:11.427794933 CET6035853192.168.2.51.1.1.1
                                                                      Dec 3, 2024 16:00:12.283745050 CET53603581.1.1.1192.168.2.5

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Dec 3, 2024 16:00:07.330559015 CET192.168.2.51.1.1.10x22bfStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                      Dec 3, 2024 16:00:09.328212023 CET192.168.2.51.1.1.10xfcc1Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                      Dec 3, 2024 16:00:11.427794933 CET192.168.2.51.1.1.10xba98Standard query (0)ftp.ercolina-usa.comA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Dec 3, 2024 16:00:07.468245029 CET1.1.1.1192.168.2.50x22bfNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                      Dec 3, 2024 16:00:07.468245029 CET1.1.1.1192.168.2.50x22bfNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                      Dec 3, 2024 16:00:07.468245029 CET1.1.1.1192.168.2.50x22bfNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                      Dec 3, 2024 16:00:09.466171980 CET1.1.1.1192.168.2.50xfcc1No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                      Dec 3, 2024 16:00:12.283745050 CET1.1.1.1192.168.2.50xba98No error (0)ftp.ercolina-usa.comercolina-usa.comCNAME (Canonical name)IN (0x0001)false
                                                                      Dec 3, 2024 16:00:12.283745050 CET1.1.1.1192.168.2.50xba98No error (0)ercolina-usa.com192.254.225.136A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • api.ipify.org
                                                                      • ip-api.com

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.549705208.95.112.1801264C:\Users\user\Desktop\uLFOeGZaJS.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      Dec 3, 2024 16:00:09.590430021 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                                      Host: ip-api.com
                                                                      Connection: Keep-Alive
                                                                      Dec 3, 2024 16:00:10.858158112 CET175INHTTP/1.1 200 OK
                                                                      Date: Tue, 03 Dec 2024 15:00:09 GMT
                                                                      Content-Type: text/plain; charset=utf-8
                                                                      Content-Length: 6
                                                                      Access-Control-Allow-Origin: *
                                                                      X-Ttl: 60
                                                                      X-Rl: 44
                                                                      Data Raw: 66 61 6c 73 65 0a
                                                                      Data Ascii: false


                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                      0192.168.2.549704172.67.74.1524431264C:\Users\user\Desktop\uLFOeGZaJS.exe
                                                                      TimestampBytes transferredDirectionData
                                                                      2024-12-03 15:00:08 UTC155OUTGET / HTTP/1.1
                                                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                      Host: api.ipify.org
                                                                      Connection: Keep-Alive
                                                                      2024-12-03 15:00:09 UTC423INHTTP/1.1 200 OK
                                                                      Date: Tue, 03 Dec 2024 15:00:09 GMT
                                                                      Content-Type: text/plain
                                                                      Content-Length: 12
                                                                      Connection: close
                                                                      Vary: Origin
                                                                      CF-Cache-Status: DYNAMIC
                                                                      Server: cloudflare
                                                                      CF-RAY: 8ec46cb4bac032d0-EWR
                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1804&min_rtt=1804&rtt_var=902&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4178&recv_bytes=769&delivery_rate=384818&cwnd=168&unsent_bytes=0&cid=fcc8c340680c596c&ts=488&x=0"
                                                                      2024-12-03 15:00:09 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                                                      Data Ascii: 8.46.123.228


                                                                      Statistics

                                                                      CPU Usage

                                                                      Click to jump to process

                                                                      Memory Usage

                                                                      Click to jump to process

                                                                      High Level Behavior Distribution

                                                                      Click to dive into process behavior distribution

                                                                      System Behavior

                                                                      General

                                                                      Target ID:0
                                                                      Start time:10:00:06
                                                                      Start date:03/12/2024
                                                                      Path:C:\Users\user\Desktop\uLFOeGZaJS.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:"C:\Users\user\Desktop\uLFOeGZaJS.exe"
                                                                      Imagebase:0xc90000
                                                                      File size:267'264 bytes
                                                                      MD5 hash:EC02B1D48F34DFA40EF212F737738D5E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4531022648.000000000310D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000000.2077701139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000000.2077701139.0000000000C92000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4531022648.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.4531022648.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                      Reputation:low
                                                                      Has exited:false

                                                                      Disassembly

                                                                      Reset < >

                                                                        Execution Graph

                                                                        Execution Coverage:13.9%
                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                        Signature Coverage:7.1%
                                                                        Total number of Nodes:198
                                                                        Total number of Limit Nodes:22
                                                                        execution_graph 43533 6dcc458 43534 6dcc4b2 OleGetClipboard 43533->43534 43535 6dcc4f2 43534->43535 43535->43535 43536 6dca638 43537 6dca639 GetCurrentProcess 43536->43537 43539 6dca6d0 GetCurrentThread 43537->43539 43542 6dca6c9 43537->43542 43540 6dca70d GetCurrentProcess 43539->43540 43543 6dca706 43539->43543 43541 6dca743 43540->43541 43544 6dca76b GetCurrentThreadId 43541->43544 43542->43539 43543->43540 43545 6dca79c 43544->43545 43546 6dc6c38 43547 6dc6ca0 CreateWindowExW 43546->43547 43549 6dc6d5c 43547->43549 43550 6dcde48 43551 6dcde8c SetWindowsHookExA 43550->43551 43553 6dcded2 43551->43553 43554 6dc5788 43555 6dc578c GetModuleHandleW 43554->43555 43557 6dc5805 43555->43557 43558 12ad030 43559 12ad048 43558->43559 43560 12ad0a2 43559->43560 43569 6dcb461 43559->43569 43578 6dc6df0 43559->43578 43584 6dc6f10 43559->43584 43592 6dc59f4 43559->43592 43596 6dc59e4 43559->43596 43607 6dc5a04 43559->43607 43615 6dc6deb 43559->43615 43621 6dcb478 43559->43621 43570 6dcb47a 43569->43570 43571 6dcb46a 43569->43571 43572 6dcb4e9 43570->43572 43574 6dcb4d9 43570->43574 43571->43560 43575 6dcb4e7 43572->43575 43637 6dca434 43572->43637 43629 6dcb610 43574->43629 43633 6dcb600 43574->43633 43575->43575 43579 6dc6e16 43578->43579 43580 6dc59f4 GetModuleHandleW 43579->43580 43581 6dc6e22 43580->43581 43582 6dc5a04 CallWindowProcW 43581->43582 43583 6dc6e37 43582->43583 43583->43560 43585 6dc6f14 43584->43585 43586 6dc6f1e 43585->43586 43589 6dc6f2b 43585->43589 43641 6dc5a2c 43586->43641 43591 6dc6ff7 43589->43591 43645 6dc414c 43589->43645 43593 6dc59ff 43592->43593 43594 6dc5a2c GetModuleHandleW 43593->43594 43595 6dc6f27 43594->43595 43595->43560 43597 6dc59f7 43596->43597 43602 6dc5a04 43596->43602 43598 6dc5a2c GetModuleHandleW 43597->43598 43599 6dc6f27 43598->43599 43599->43560 43600 6dcb4e9 43601 6dca434 CallWindowProcW 43600->43601 43604 6dcb4e7 43600->43604 43601->43604 43602->43600 43603 6dcb4d9 43602->43603 43605 6dcb610 CallWindowProcW 43603->43605 43606 6dcb600 CallWindowProcW 43603->43606 43604->43604 43605->43604 43606->43604 43608 6dc5a0f 43607->43608 43609 6dcb4e9 43608->43609 43611 6dcb4d9 43608->43611 43610 6dca434 CallWindowProcW 43609->43610 43612 6dcb4e7 43609->43612 43610->43612 43613 6dcb610 CallWindowProcW 43611->43613 43614 6dcb600 CallWindowProcW 43611->43614 43612->43612 43613->43612 43614->43612 43616 6dc6df1 43615->43616 43617 6dc59f4 GetModuleHandleW 43616->43617 43618 6dc6e22 43617->43618 43619 6dc5a04 CallWindowProcW 43618->43619 43620 6dc6e37 43619->43620 43620->43560 43624 6dcb4b5 43621->43624 43622 6dcb4e9 43623 6dca434 CallWindowProcW 43622->43623 43626 6dcb4e7 43622->43626 43623->43626 43624->43622 43625 6dcb4d9 43624->43625 43627 6dcb610 CallWindowProcW 43625->43627 43628 6dcb600 CallWindowProcW 43625->43628 43626->43626 43627->43626 43628->43626 43632 6dcb61e 43629->43632 43630 6dca434 CallWindowProcW 43630->43632 43631 6dcb6fa 43631->43575 43632->43630 43632->43631 43635 6dcb610 43633->43635 43634 6dca434 CallWindowProcW 43634->43635 43635->43634 43636 6dcb6fa 43635->43636 43636->43575 43638 6dca43f 43637->43638 43639 6dcb7aa CallWindowProcW 43638->43639 43640 6dcb759 43638->43640 43639->43640 43640->43575 43642 6dc5a37 43641->43642 43643 6dc414c GetModuleHandleW 43642->43643 43644 6dc6ff7 43642->43644 43643->43644 43646 6dc5790 GetModuleHandleW 43645->43646 43648 6dc5805 43646->43648 43648->43591 43649 6dcc2c0 43650 6dcc2cb 43649->43650 43651 6dcc2db 43650->43651 43653 6dcbd2c 43650->43653 43654 6dcc310 OleInitialize 43653->43654 43655 6dcc374 43654->43655 43655->43651 43656 6dca880 DuplicateHandle 43657 6dca916 43656->43657 43658 1350848 43660 135084e 43658->43660 43659 135091b 43660->43659 43662 1351340 43660->43662 43663 1351350 43662->43663 43664 1351466 43663->43664 43671 6dc3b90 43663->43671 43677 6dc3b80 43663->43677 43683 1357dff 43663->43683 43688 1357d80 43663->43688 43694 1357d30 43663->43694 43700 1358c41 43663->43700 43664->43660 43672 6dc3b91 43671->43672 43675 6dc3c53 43672->43675 43705 6dc32cc 43672->43705 43674 6dc3c19 43710 6dc32ec 43674->43710 43675->43663 43678 6dc3b90 43677->43678 43679 6dc32cc GetModuleHandleW 43678->43679 43681 6dc3c53 43678->43681 43680 6dc3c19 43679->43680 43682 6dc32ec KiUserCallbackDispatcher 43680->43682 43681->43663 43682->43681 43684 1357da2 43683->43684 43685 1357e0d 43684->43685 43755 1357f59 43684->43755 43685->43663 43686 1357d91 43686->43663 43689 1357d81 43688->43689 43690 1357da2 43689->43690 43691 1357d8a 43689->43691 43692 1357dff CheckRemoteDebuggerPresent 43689->43692 43693 1357f59 CheckRemoteDebuggerPresent 43690->43693 43691->43663 43692->43689 43693->43691 43695 1357d7c 43694->43695 43696 1357da2 43695->43696 43697 1357d8a 43695->43697 43698 1357dff CheckRemoteDebuggerPresent 43695->43698 43699 1357f59 CheckRemoteDebuggerPresent 43696->43699 43697->43663 43698->43695 43699->43697 43702 1358c4b 43700->43702 43701 1358d01 43701->43663 43702->43701 43760 6ddf618 43702->43760 43765 6ddf608 43702->43765 43706 6dc32d7 43705->43706 43714 6dc4d58 43706->43714 43720 6dc4d43 43706->43720 43707 6dc3dfa 43707->43674 43711 6dc32f7 43710->43711 43713 6dcba33 43711->43713 43751 6dca48c 43711->43751 43713->43675 43715 6dc4d83 43714->43715 43726 6dc52d0 43715->43726 43716 6dc4e06 43717 6dc414c GetModuleHandleW 43716->43717 43718 6dc4e32 43716->43718 43717->43718 43721 6dc4d50 43720->43721 43725 6dc52d0 GetModuleHandleW 43721->43725 43722 6dc4e06 43723 6dc414c GetModuleHandleW 43722->43723 43724 6dc4e32 43722->43724 43723->43724 43725->43722 43727 6dc52d4 43726->43727 43728 6dc538e 43727->43728 43731 6dc5450 43727->43731 43741 6dc5440 43727->43741 43732 6dc5465 43731->43732 43733 6dc414c GetModuleHandleW 43732->43733 43734 6dc5489 43732->43734 43733->43734 43735 6dc414c GetModuleHandleW 43734->43735 43740 6dc5654 43734->43740 43736 6dc55da 43735->43736 43737 6dc414c GetModuleHandleW 43736->43737 43736->43740 43738 6dc5628 43737->43738 43739 6dc414c GetModuleHandleW 43738->43739 43738->43740 43739->43740 43740->43728 43742 6dc5444 43741->43742 43743 6dc414c GetModuleHandleW 43742->43743 43744 6dc5489 43742->43744 43743->43744 43745 6dc414c GetModuleHandleW 43744->43745 43750 6dc5654 43744->43750 43746 6dc55da 43745->43746 43747 6dc414c GetModuleHandleW 43746->43747 43746->43750 43748 6dc5628 43747->43748 43749 6dc414c GetModuleHandleW 43748->43749 43748->43750 43749->43750 43750->43728 43752 6dcba48 KiUserCallbackDispatcher 43751->43752 43754 6dcbab6 43752->43754 43754->43711 43756 1357f5c 43755->43756 43757 1357efa CheckRemoteDebuggerPresent 43756->43757 43759 1357f65 43756->43759 43758 1357f0e 43757->43758 43758->43686 43759->43686 43761 6ddf62d 43760->43761 43762 6ddf842 43761->43762 43763 6ddfc61 GlobalMemoryStatusEx 43761->43763 43764 6ddfc70 GlobalMemoryStatusEx 43761->43764 43762->43701 43763->43761 43764->43761 43766 6ddf618 43765->43766 43767 6ddf842 43766->43767 43768 6ddfc61 GlobalMemoryStatusEx 43766->43768 43769 6ddfc70 GlobalMemoryStatusEx 43766->43769 43767->43701 43768->43766 43769->43766

                                                                        Executed Functions

                                                                        Function 06DD2430 Relevance: 9.0, Strings: 6, Instructions: 1489COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-3723351465
                                                                        • Opcode ID: 8491de223795fa20d1514a37cf1ff4ba74569ed2e25ae6f9f085a8b24eefe139
                                                                        • Instruction ID: afaf36da060a9f6d4212d20ead03d34298a7cd22d5ac0d9593964b067f324e9a
                                                                        • Opcode Fuzzy Hash: 8491de223795fa20d1514a37cf1ff4ba74569ed2e25ae6f9f085a8b24eefe139
                                                                        • Instruction Fuzzy Hash: 7BD26A30E002098FCB64EF68C484A9DB7F2FF89314F55C5A9D449AB255EB35ED85CB81
                                                                        Function 0135B3D0 Relevance: 3.1, Instructions: 3090COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530467685.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1350000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6f73d16e905552d7a3a6f01fceee2222928f6ba57c0a2d5bb8220c607d080215
                                                                        • Instruction ID: 0763ba7fd99a13909df48a9408d72621a46971f4cedace513190a77cdcfddd36
                                                                        • Opcode Fuzzy Hash: 6f73d16e905552d7a3a6f01fceee2222928f6ba57c0a2d5bb8220c607d080215
                                                                        • Instruction Fuzzy Hash: F4630931D10B1A8ACB51EF68C8849ADF7B1FF99300F15C79AE45877121EB70AAD5CB81
                                                                        Function 06DD7A10 Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1525 6dd7a10-6dd7a2e 1526 6dd7a30-6dd7a33 1525->1526 1527 6dd7a35-6dd7a51 1526->1527 1528 6dd7a56-6dd7a59 1526->1528 1527->1528 1529 6dd7a5b-6dd7a65 1528->1529 1530 6dd7a66-6dd7a69 1528->1530 1531 6dd7a6b-6dd7a85 1530->1531 1532 6dd7a8a-6dd7a8d 1530->1532 1531->1532 1534 6dd7a8f-6dd7a9d 1532->1534 1535 6dd7aa4-6dd7aa6 1532->1535 1540 6dd7ab6-6dd7acc 1534->1540 1543 6dd7a9f 1534->1543 1537 6dd7aad-6dd7ab0 1535->1537 1538 6dd7aa8 1535->1538 1537->1526 1537->1540 1538->1537 1545 6dd7ce7-6dd7cf1 1540->1545 1546 6dd7ad2-6dd7adb 1540->1546 1543->1535 1547 6dd7ae1-6dd7afe 1546->1547 1548 6dd7cf2-6dd7d27 1546->1548 1557 6dd7cd4-6dd7ce1 1547->1557 1558 6dd7b04-6dd7b2c 1547->1558 1551 6dd7d29-6dd7d2c 1548->1551 1553 6dd7d4f-6dd7d52 1551->1553 1554 6dd7d2e-6dd7d4a 1551->1554 1555 6dd7dff-6dd7e02 1553->1555 1556 6dd7d58-6dd7d64 1553->1556 1554->1553 1559 6dd7e08-6dd7e17 1555->1559 1560 6dd8037-6dd8039 1555->1560 1562 6dd7d6f-6dd7d71 1556->1562 1557->1545 1557->1546 1558->1557 1579 6dd7b32-6dd7b3b 1558->1579 1575 6dd7e19-6dd7e34 1559->1575 1576 6dd7e36-6dd7e7a 1559->1576 1563 6dd803b 1560->1563 1564 6dd8040-6dd8043 1560->1564 1567 6dd7d89-6dd7d8d 1562->1567 1568 6dd7d73-6dd7d79 1562->1568 1563->1564 1564->1551 1569 6dd8049-6dd8052 1564->1569 1573 6dd7d8f-6dd7d99 1567->1573 1574 6dd7d9b 1567->1574 1571 6dd7d7d-6dd7d7f 1568->1571 1572 6dd7d7b 1568->1572 1571->1567 1572->1567 1578 6dd7da0-6dd7da2 1573->1578 1574->1578 1575->1576 1585 6dd800b-6dd8021 1576->1585 1586 6dd7e80-6dd7e91 1576->1586 1581 6dd7db9-6dd7df2 1578->1581 1582 6dd7da4-6dd7da7 1578->1582 1579->1548 1584 6dd7b41-6dd7b5d 1579->1584 1581->1559 1605 6dd7df4-6dd7dfe 1581->1605 1582->1569 1591 6dd7b63-6dd7b8d 1584->1591 1592 6dd7cc2-6dd7cce 1584->1592 1585->1560 1595 6dd7e97-6dd7eb4 1586->1595 1596 6dd7ff6-6dd8005 1586->1596 1608 6dd7cb8-6dd7cbd 1591->1608 1609 6dd7b93-6dd7bbb 1591->1609 1592->1557 1592->1579 1595->1596 1607 6dd7eba-6dd7fb0 call 6dd6238 1595->1607 1596->1585 1596->1586 1658 6dd7fbe 1607->1658 1659 6dd7fb2-6dd7fbc 1607->1659 1608->1592 1609->1608 1616 6dd7bc1-6dd7bef 1609->1616 1616->1608 1621 6dd7bf5-6dd7bfe 1616->1621 1621->1608 1622 6dd7c04-6dd7c36 1621->1622 1630 6dd7c38-6dd7c3c 1622->1630 1631 6dd7c41-6dd7c5d 1622->1631 1630->1608 1633 6dd7c3e 1630->1633 1631->1592 1634 6dd7c5f-6dd7cb6 call 6dd6238 1631->1634 1633->1631 1634->1592 1660 6dd7fc3-6dd7fc5 1658->1660 1659->1660 1660->1596 1661 6dd7fc7-6dd7fcc 1660->1661 1662 6dd7fce-6dd7fd8 1661->1662 1663 6dd7fda 1661->1663 1664 6dd7fdf-6dd7fe1 1662->1664 1663->1664 1664->1596 1665 6dd7fe3-6dd7fef 1664->1665 1665->1596
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q
                                                                        • API String ID: 0-127220927
                                                                        • Opcode ID: e6a8057c1717b39a0aeb6b0a98d80b643c70b7e6b8ebfe22e63e8d694c23c287
                                                                        • Instruction ID: 66cff5fe016ee585bc536f2d9757e281434f363d1cccda051ef9b7dd2babf506
                                                                        • Opcode Fuzzy Hash: e6a8057c1717b39a0aeb6b0a98d80b643c70b7e6b8ebfe22e63e8d694c23c287
                                                                        • Instruction Fuzzy Hash: 0C029E30B002068FDB54EF69D990AAEB7E6FF84314F148569D409EB394DB38ED46CB91
                                                                        Function 0135EE18 Relevance: 2.8, Strings: 2, Instructions: 332COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1667 135ee18-135ee2a 1668 135ee2c-135ee59 call 13578bc 1667->1668 1669 135ee8e-135ee95 1667->1669 1675 135ee5e-135ee6b 1668->1675 1677 135ee96-135eefd 1675->1677 1678 135ee6d-135ee86 1675->1678 1688 135ef06-135ef16 1677->1688 1689 135eeff-135ef01 1677->1689 1678->1669 1691 135ef1d-135ef2d 1688->1691 1692 135ef18 1688->1692 1690 135f1a5-135f1ac 1689->1690 1694 135ef33-135ef41 1691->1694 1695 135f18c-135f19a 1691->1695 1692->1690 1698 135ef47 1694->1698 1699 135f1ad-135f226 1694->1699 1695->1699 1700 135f19c-135f1a0 call 1357b50 1695->1700 1698->1699 1701 135f077-135f09f 1698->1701 1702 135f111-135f13d 1698->1702 1703 135efb2-135efd3 1698->1703 1704 135f15c-135f17e 1698->1704 1705 135f13f-135f15a call 1350350 1698->1705 1706 135effe-135f01f 1698->1706 1707 135efd8-135eff9 1698->1707 1708 135ef65-135ef86 1698->1708 1709 135f024-135f045 1698->1709 1710 135f0a4-135f0e1 1698->1710 1711 135f0e6-135f10c 1698->1711 1712 135f180-135f18a 1698->1712 1713 135ef4e-135ef60 1698->1713 1714 135ef8b-135efad 1698->1714 1715 135f04a-135f072 1698->1715 1700->1690 1701->1690 1702->1690 1703->1690 1704->1690 1705->1690 1706->1690 1707->1690 1708->1690 1709->1690 1710->1690 1711->1690 1712->1690 1713->1690 1714->1690 1715->1690
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530467685.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1350000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: Xaq$$]q
                                                                        • API String ID: 0-1280934391
                                                                        • Opcode ID: ee2d39a1946382d7fbad0f9687e4acf83202d54eec12a5eed8079ef90f2ab67f
                                                                        • Instruction ID: a3cb9b95ad5664b34192256eeb9bf8dd761fafbe3c6973bfa52a0c5ee487ea6e
                                                                        • Opcode Fuzzy Hash: ee2d39a1946382d7fbad0f9687e4acf83202d54eec12a5eed8079ef90f2ab67f
                                                                        • Instruction Fuzzy Hash: 7FB1B470B142198BDB5DAF78985467E7BBBBFC9B10B04852DE846E7388DE34CC028795
                                                                        Function 01357F59 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 01357EFF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530467685.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1350000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: e7703c1802480cbca5dbbbf4c2808ed2d3de0e833f742948dfe3b1d5c565708e
                                                                        • Instruction ID: 5a1d47a0be2928c0ce692f96d48c5a50a83fd5eb796d6710d6ee343f81352f10
                                                                        • Opcode Fuzzy Hash: e7703c1802480cbca5dbbbf4c2808ed2d3de0e833f742948dfe3b1d5c565708e
                                                                        • Instruction Fuzzy Hash: 80213472A002559FCB52EB7DC8017EDBBE19B45618F548469ED0CE7342E738C94ACB92
                                                                        Function 06DC1C80 Relevance: 1.6, Strings: 1, Instructions: 301COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: nKuq
                                                                        • API String ID: 0-4080595220
                                                                        • Opcode ID: 3dcf150d2581264d7aa62506528e3fc99380ba6e98b0bb7d2d218bb7eccf6067
                                                                        • Instruction ID: 39b79394388b74de079413d35677849e327099d1d85ef1145c1fc6cc511cc497
                                                                        • Opcode Fuzzy Hash: 3dcf150d2581264d7aa62506528e3fc99380ba6e98b0bb7d2d218bb7eccf6067
                                                                        • Instruction Fuzzy Hash: FAB18171E1022A9FDB64DFA9C8407AEBBBAFF88720F10452EE505E7291C7359905CBD1
                                                                        Function 06DD6288 Relevance: .8, Instructions: 810COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 621e5bb203c355c9a510a8724aca20d5aae7430848e5fd76923c619a62530d77
                                                                        • Instruction ID: 393c1cb5378eb0642f293f3c647f4454570bbe19ca5e93bb697819f214b538d7
                                                                        • Opcode Fuzzy Hash: 621e5bb203c355c9a510a8724aca20d5aae7430848e5fd76923c619a62530d77
                                                                        • Instruction Fuzzy Hash: C3629E34B002459FDB54EFA8D584AADBBF2EF88314F148469E405EB395DB39EC46CB90
                                                                        Function 06DDC230 Relevance: .6, Instructions: 637COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b4db169698e31bdb28ec823cd5c23f6b505f64f6385e44010add57a761d16ec5
                                                                        • Instruction ID: 8b3bd759930e8c65faf2f155f70b4d31321e65325c617ff353a6df21b9c2dcdb
                                                                        • Opcode Fuzzy Hash: b4db169698e31bdb28ec823cd5c23f6b505f64f6385e44010add57a761d16ec5
                                                                        • Instruction Fuzzy Hash: 49327230B102099FDF54EFA8D990AADBBBAFB88314F108529D405EB355DB39DC46CB91
                                                                        Function 0135AC08 Relevance: .6, Instructions: 629COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530467685.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1350000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 77f5a1d282f2ef8243ebf570b2f583874afab149297805be53af0854a89ab942
                                                                        • Instruction ID: 8c42263cbd61e55a6ff3f9c247e0580265dfb83c27bdbc78651c6fdafc0feaaf
                                                                        • Opcode Fuzzy Hash: 77f5a1d282f2ef8243ebf570b2f583874afab149297805be53af0854a89ab942
                                                                        • Instruction Fuzzy Hash: 1A32DF30B002098FDB55DF68D884AADBBB2FF88714F148529E909EB395DB35DC46CB91
                                                                        Function 06DDAED0 Relevance: .6, Instructions: 588COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 83701cf89e821dc57342bd64d47b0f86c90e2bdb04e24db93739d70aaea0bf71
                                                                        • Instruction ID: b4c6eae72fc3f788dd873174d1b2b123ce5a4c8b05868a6f70523e99bf0e6f6e
                                                                        • Opcode Fuzzy Hash: 83701cf89e821dc57342bd64d47b0f86c90e2bdb04e24db93739d70aaea0bf71
                                                                        • Instruction Fuzzy Hash: A72294B0E102098FDF64EF69D5807ADB7B6FB45318F15882AE415EB391DA38DC81CB51
                                                                        Function 06DD5270 Relevance: .6, Instructions: 585COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 47ae9148071fdd936b03edcae59a1464008a5c0eca2d4550a0b851d6e8d721f9
                                                                        • Instruction ID: bf295f5029504d2046c60c1167a40957679c5a58608e278ba95f4f91bf495e6f
                                                                        • Opcode Fuzzy Hash: 47ae9148071fdd936b03edcae59a1464008a5c0eca2d4550a0b851d6e8d721f9
                                                                        • Instruction Fuzzy Hash: A112E471F002058BDF64EF64E89076EBBB2EB84314F248429D85AAB385DB35DC46CB91
                                                                        Function 013541B0 Relevance: .3, Instructions: 281COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530467685.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1350000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1bee159d2d85290cafa13ba81c4a1c76def55b6bd1be8515ee0399f5ebf0bbc7
                                                                        • Instruction ID: d2ec0c5ac9a82e5fef9f8793f3e484cb82d380dd03ca0826ed419ff64dedbfd6
                                                                        • Opcode Fuzzy Hash: 1bee159d2d85290cafa13ba81c4a1c76def55b6bd1be8515ee0399f5ebf0bbc7
                                                                        • Instruction Fuzzy Hash: 0FB18070E00219CFDF58CFA9D885BDDBBF2BF88B08F148529D815A7254EB749881CB81
                                                                        Function 01354A80 Relevance: .3, Instructions: 266COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530467685.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1350000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a08a929e21c528d202c3d475d60d3a16528ff57a339c56677f99e3e811a16a6c
                                                                        • Instruction ID: aa886fcd7441a09c30c4f8a484b1304433a53170d93059da9cdaa0b708a677a1
                                                                        • Opcode Fuzzy Hash: a08a929e21c528d202c3d475d60d3a16528ff57a339c56677f99e3e811a16a6c
                                                                        • Instruction Fuzzy Hash: 94B16E70E00209DFDF58CFA9D981B9DBBF2AF88B18F148129D855E7254EB749885CB81
                                                                        Function 06DC5A2C Relevance: .3, Instructions: 253COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4c9c4bb3c1a26daef0c023e6039255180360869b19d93e6a20daf61c529c6056
                                                                        • Instruction ID: 335277f2c3172877ca44df6c8fe5ffbb39c543918538695ac79e0e990f596c31
                                                                        • Opcode Fuzzy Hash: 4c9c4bb3c1a26daef0c023e6039255180360869b19d93e6a20daf61c529c6056
                                                                        • Instruction Fuzzy Hash: 70A16E35E0021A9FCB44DFA4D8549EDFBBAFF89310F158219E416AB3A4DB30E846CB51
                                                                        Function 01353E68 Relevance: .2, Instructions: 238COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530467685.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1350000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c32a7892c08458b4b66fd293cacaec7e744eb186ca44cad411ef0b48c7130004
                                                                        • Instruction ID: db99f345dae79767af334114827ce730e2adbff0a9599e8fe22de99373a4de21
                                                                        • Opcode Fuzzy Hash: c32a7892c08458b4b66fd293cacaec7e744eb186ca44cad411ef0b48c7130004
                                                                        • Instruction Fuzzy Hash: 8C917170E00209DFDF54CFA9D985BDDBBF2BF88718F248129E815A7254EB349985CB81
                                                                        Function 06DC6F10 Relevance: .2, Instructions: 233COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: afa0c89e9f38bef76f2e4bade17aa696a68b988a9b8bd96c2b8b9351a841e8fc
                                                                        • Instruction ID: 82db04d8db70aac3ce04b3bdee668da350eecc956e62055ec6425819d59d341c
                                                                        • Opcode Fuzzy Hash: afa0c89e9f38bef76f2e4bade17aa696a68b988a9b8bd96c2b8b9351a841e8fc
                                                                        • Instruction Fuzzy Hash: 27918E35E0030A9FCB45DFA0D8548DDFBBAEF89310F158619E516AB2A5DB30E842CB61
                                                                        Function 06DC6F30 Relevance: .2, Instructions: 219COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b1382f49afbff5e6b5736f4783290a45e77238769f3159c46beb2f23e5b567b6
                                                                        • Instruction ID: 73f319e1833193dfab814adc09cd170528c5346ecf8af08a6cf695fbd272447c
                                                                        • Opcode Fuzzy Hash: b1382f49afbff5e6b5736f4783290a45e77238769f3159c46beb2f23e5b567b6
                                                                        • Instruction Fuzzy Hash: F9916E35E0030A9FCB04DFA4D8549DDFBBAFF89320F158219E516AB264DB30E942CB51
                                                                        Function 06DDA968 Relevance: 10.4, Strings: 8, Instructions: 390COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 0 6dda968-6dda986 1 6dda988-6dda98b 0->1 2 6ddab85-6ddab8e 1->2 3 6dda991-6dda994 1->3 6 6ddab94-6ddab9e 2->6 7 6dda9d0-6dda9d9 2->7 4 6dda9b7-6dda9ba 3->4 5 6dda996-6dda9b2 3->5 10 6dda9bc-6dda9c0 4->10 11 6dda9cb-6dda9ce 4->11 5->4 8 6ddab9f-6ddabd6 7->8 9 6dda9df-6dda9e3 7->9 20 6ddabd8-6ddabdb 8->20 13 6dda9e8-6dda9eb 9->13 10->6 12 6dda9c6 10->12 11->7 11->13 12->11 15 6dda9ed-6dda9fa 13->15 16 6dda9ff-6ddaa02 13->16 15->16 18 6ddaa1c-6ddaa1f 16->18 19 6ddaa04-6ddaa17 16->19 25 6ddaa29-6ddaa2c 18->25 26 6ddaa21-6ddaa26 18->26 19->18 22 6ddabdd-6ddabe1 20->22 23 6ddabe8-6ddabeb 20->23 27 6ddac01-6ddac3c 22->27 28 6ddabe3 22->28 29 6ddabed-6ddabf7 23->29 30 6ddabf8-6ddabfb 23->30 32 6ddaa3c-6ddaa3e 25->32 33 6ddaa2e-6ddaa37 25->33 26->25 41 6ddae2f-6ddae42 27->41 42 6ddac42-6ddac4e 27->42 28->23 30->27 34 6ddae64-6ddae67 30->34 35 6ddaa45-6ddaa48 32->35 36 6ddaa40 32->36 33->32 39 6ddae69-6ddae85 34->39 40 6ddae8a-6ddae8d 34->40 35->1 37 6ddaa4e-6ddaa72 35->37 36->35 58 6ddaa78-6ddaa87 37->58 59 6ddab82 37->59 39->40 43 6ddae9c-6ddae9e 40->43 44 6ddae8f 40->44 49 6ddae44 41->49 54 6ddac6e-6ddacb2 42->54 55 6ddac50-6ddac69 42->55 45 6ddaea5-6ddaea8 43->45 46 6ddaea0 43->46 124 6ddae8f call 6ddaed0 44->124 125 6ddae8f call 6ddaec0 44->125 45->20 51 6ddaeae-6ddaeb8 45->51 46->45 53 6ddae45 49->53 52 6ddae95-6ddae97 52->43 53->53 74 6ddacce-6ddad0d 54->74 75 6ddacb4-6ddacc6 54->75 55->49 62 6ddaa9f-6ddaada call 6dd6238 58->62 63 6ddaa89-6ddaa8f 58->63 59->2 84 6ddaadc-6ddaae2 62->84 85 6ddaaf2-6ddab09 62->85 65 6ddaa91 63->65 66 6ddaa93-6ddaa95 63->66 65->62 66->62 80 6ddadf4-6ddae09 74->80 81 6ddad13-6ddadee call 6dd6238 74->81 75->74 80->41 81->80 86 6ddaae4 84->86 87 6ddaae6-6ddaae8 84->87 94 6ddab0b-6ddab11 85->94 95 6ddab21-6ddab32 85->95 86->85 87->85 96 6ddab15-6ddab17 94->96 97 6ddab13 94->97 100 6ddab4a-6ddab7b 95->100 101 6ddab34-6ddab3a 95->101 96->95 97->95 100->59 102 6ddab3c 101->102 103 6ddab3e-6ddab40 101->103 102->100 103->100 124->52 125->52
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-1273862796
                                                                        • Opcode ID: 72005407f84a1cde76606dfb04ec4c6e79b4c1ec412ceea42c6d309d65e048df
                                                                        • Instruction ID: a2f26f29de522e3067c63afae1eabda0fe66493a2a3d84d48fab14c1aced0754
                                                                        • Opcode Fuzzy Hash: 72005407f84a1cde76606dfb04ec4c6e79b4c1ec412ceea42c6d309d65e048df
                                                                        • Instruction Fuzzy Hash: 19E16030F102098FDB69EF68D990A6EB7B6EF84304F148529D805EB394DB79DC46CB91
                                                                        Function 06DCA629 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 574 6dca629-6dca630 575 6dca639-6dca6c7 GetCurrentProcess 574->575 576 6dca632-6dca638 574->576 581 6dca6c9-6dca6cf 575->581 582 6dca6d0-6dca704 GetCurrentThread 575->582 576->575 581->582 583 6dca70d-6dca741 GetCurrentProcess 582->583 584 6dca706-6dca70c 582->584 585 6dca74a-6dca765 call 6dca808 583->585 586 6dca743-6dca749 583->586 584->583 590 6dca76b-6dca79a GetCurrentThreadId 585->590 586->585 591 6dca79c-6dca7a2 590->591 592 6dca7a3-6dca805 590->592 591->592
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 06DCA6B6
                                                                        • GetCurrentThread.KERNEL32 ref: 06DCA6F3
                                                                        • GetCurrentProcess.KERNEL32 ref: 06DCA730
                                                                        • GetCurrentThreadId.KERNEL32 ref: 06DCA789
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: be8ae081977077b40ea31084d31da9b35c88bf17b35f578c86cf51c3955af799
                                                                        • Instruction ID: 73496e7ac414d272377ed8a797efa6c1f002600a7eed6d00562db67d8de97751
                                                                        • Opcode Fuzzy Hash: be8ae081977077b40ea31084d31da9b35c88bf17b35f578c86cf51c3955af799
                                                                        • Instruction Fuzzy Hash: CB5133B090160ACFDB54DFA9D948BEEBBF1FF48310F248459D10AA73A0D7389944CBA5
                                                                        Function 06DCA638 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 599 6dca638-6dca6c7 GetCurrentProcess 604 6dca6c9-6dca6cf 599->604 605 6dca6d0-6dca704 GetCurrentThread 599->605 604->605 606 6dca70d-6dca741 GetCurrentProcess 605->606 607 6dca706-6dca70c 605->607 608 6dca74a-6dca765 call 6dca808 606->608 609 6dca743-6dca749 606->609 607->606 613 6dca76b-6dca79a GetCurrentThreadId 608->613 609->608 614 6dca79c-6dca7a2 613->614 615 6dca7a3-6dca805 613->615 614->615
                                                                        APIs
                                                                        • GetCurrentProcess.KERNEL32 ref: 06DCA6B6
                                                                        • GetCurrentThread.KERNEL32 ref: 06DCA6F3
                                                                        • GetCurrentProcess.KERNEL32 ref: 06DCA730
                                                                        • GetCurrentThreadId.KERNEL32 ref: 06DCA789
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: Current$ProcessThread
                                                                        • String ID:
                                                                        • API String ID: 2063062207-0
                                                                        • Opcode ID: 29342bb7156e759c14f6610ad0e24f3a084e0abf76a37328a2870f9003d8365c
                                                                        • Instruction ID: 4773160bcb954c5064fc11ffbb51dd23fec29834f6335ab5de93551dda330174
                                                                        • Opcode Fuzzy Hash: 29342bb7156e759c14f6610ad0e24f3a084e0abf76a37328a2870f9003d8365c
                                                                        • Instruction Fuzzy Hash: A95144B090160ACFDB54DFA9D948BEEBBF1FF48310F248419D109A73A0D7389944CBA5
                                                                        Function 06DD8DE8 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 622 6dd8de8-6dd8e0d 623 6dd8e0f-6dd8e12 622->623 624 6dd8e38-6dd8e3b 623->624 625 6dd8e14-6dd8e33 623->625 626 6dd96fb-6dd96fd 624->626 627 6dd8e41-6dd8e56 624->627 625->624 629 6dd96ff 626->629 630 6dd9704-6dd9707 626->630 633 6dd8e6e-6dd8e84 627->633 634 6dd8e58-6dd8e5e 627->634 629->630 630->623 632 6dd970d-6dd9717 630->632 639 6dd8e8f-6dd8e91 633->639 636 6dd8e60 634->636 637 6dd8e62-6dd8e64 634->637 636->633 637->633 640 6dd8ea9-6dd8f1a 639->640 641 6dd8e93-6dd8e99 639->641 652 6dd8f1c-6dd8f3f 640->652 653 6dd8f46-6dd8f62 640->653 642 6dd8e9d-6dd8e9f 641->642 643 6dd8e9b 641->643 642->640 643->640 652->653 658 6dd8f8e-6dd8fa9 653->658 659 6dd8f64-6dd8f87 653->659 664 6dd8fab-6dd8fcd 658->664 665 6dd8fd4-6dd8fef 658->665 659->658 664->665 670 6dd901a-6dd9024 665->670 671 6dd8ff1-6dd9013 665->671 672 6dd9034-6dd90ae 670->672 673 6dd9026-6dd902f 670->673 671->670 679 6dd90fb-6dd9110 672->679 680 6dd90b0-6dd90ce 672->680 673->632 679->626 684 6dd90ea-6dd90f9 680->684 685 6dd90d0-6dd90df 680->685 684->679 684->680 685->684
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                        • API String ID: 0-858218434
                                                                        • Opcode ID: 6da84b21bfac455883bca7f27aa15f9d05b79fbd27a45fe61ce53e9e83280050
                                                                        • Instruction ID: 98737daab47a6369de997f7dc4e188a7b95db2f30b59d67731e540faa5ec138d
                                                                        • Opcode Fuzzy Hash: 6da84b21bfac455883bca7f27aa15f9d05b79fbd27a45fe61ce53e9e83280050
                                                                        • Instruction Fuzzy Hash: 9B914030B0020A9FDB55DF69D9607AEB3F6FFC4600F108569C809EB394EA35DD468B92
                                                                        Function 06DDCFF8 Relevance: 4.6, Strings: 3, Instructions: 800COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 688 6ddcff8-6ddd013 689 6ddd015-6ddd018 688->689 690 6ddd01a-6ddd05c 689->690 691 6ddd061-6ddd064 689->691 690->691 692 6ddd0ad-6ddd0b0 691->692 693 6ddd066-6ddd0a8 691->693 695 6ddd0cd-6ddd0d0 692->695 696 6ddd0b2-6ddd0c8 692->696 693->692 698 6ddd4e4-6ddd4f0 695->698 699 6ddd0d6-6ddd0d9 695->699 696->695 701 6ddd127-6ddd136 698->701 702 6ddd4f6-6ddd7e3 698->702 703 6ddd0db-6ddd11d 699->703 704 6ddd122-6ddd125 699->704 707 6ddd138-6ddd13d 701->707 708 6ddd145-6ddd151 701->708 901 6ddd7e9-6ddd7ef 702->901 902 6ddda0a-6ddda14 702->902 703->704 704->701 706 6ddd16e-6ddd171 704->706 715 6ddd180-6ddd183 706->715 716 6ddd173-6ddd175 706->716 707->708 712 6ddda15-6ddda4e 708->712 713 6ddd157-6ddd169 708->713 734 6ddda50-6ddda53 712->734 713->706 721 6ddd185-6ddd1a1 715->721 722 6ddd1a6-6ddd1a9 715->722 719 6ddd39f-6ddd3a8 716->719 720 6ddd17b 716->720 729 6ddd3aa-6ddd3af 719->729 730 6ddd3b7-6ddd3c3 719->730 720->715 721->722 724 6ddd1ab-6ddd1b0 722->724 725 6ddd1b3-6ddd1b6 722->725 724->725 735 6ddd1ff-6ddd202 725->735 736 6ddd1b8-6ddd1fa 725->736 729->730 732 6ddd3c9-6ddd3dd 730->732 733 6ddd4d4-6ddd4d9 730->733 761 6ddd4e1 732->761 762 6ddd3e3-6ddd3f5 732->762 733->761 742 6ddda55 734->742 743 6ddda62-6ddda65 734->743 739 6ddd24b-6ddd24e 735->739 740 6ddd204-6ddd246 735->740 736->735 751 6ddd25d-6ddd260 739->751 752 6ddd250-6ddd252 739->752 740->739 948 6ddda55 call 6dddb6d 742->948 949 6ddda55 call 6dddb80 742->949 749 6ddda98-6ddda9b 743->749 750 6ddda67-6ddda93 743->750 756 6ddda9d-6dddab9 749->756 757 6dddabe-6dddac0 749->757 750->749 764 6ddd2a9-6ddd2ac 751->764 765 6ddd262-6ddd271 751->765 752->761 763 6ddd258 752->763 755 6ddda5b-6ddda5d 755->743 756->757 771 6dddac7-6dddaca 757->771 772 6dddac2 757->772 761->698 784 6ddd419-6ddd41b 762->784 785 6ddd3f7-6ddd3fd 762->785 763->751 768 6ddd2ae-6ddd2f0 764->768 769 6ddd2f5-6ddd2f8 764->769 766 6ddd280-6ddd28c 765->766 767 6ddd273-6ddd278 765->767 766->712 773 6ddd292-6ddd2a4 766->773 767->766 768->769 778 6ddd2fa-6ddd33c 769->778 779 6ddd341-6ddd344 769->779 771->734 777 6dddacc-6dddadb 771->777 772->771 773->764 802 6dddadd-6dddb40 call 6dd6238 777->802 803 6dddb42-6dddb57 777->803 778->779 786 6ddd38d-6ddd38f 779->786 787 6ddd346-6ddd388 779->787 798 6ddd425-6ddd431 784->798 796 6ddd3ff 785->796 797 6ddd401-6ddd40d 785->797 789 6ddd396-6ddd399 786->789 790 6ddd391 786->790 787->786 789->689 789->719 790->789 804 6ddd40f-6ddd417 796->804 797->804 816 6ddd43f 798->816 817 6ddd433-6ddd43d 798->817 802->803 818 6dddb58 803->818 804->798 823 6ddd444-6ddd446 816->823 817->823 818->818 823->761 827 6ddd44c-6ddd468 call 6dd6238 823->827 841 6ddd46a-6ddd46f 827->841 842 6ddd477-6ddd483 827->842 841->842 842->733 844 6ddd485-6ddd4d2 842->844 844->761 903 6ddd7fe-6ddd807 901->903 904 6ddd7f1-6ddd7f6 901->904 903->712 905 6ddd80d-6ddd820 903->905 904->903 907 6ddd9fa-6ddda04 905->907 908 6ddd826-6ddd82c 905->908 907->901 907->902 909 6ddd82e-6ddd833 908->909 910 6ddd83b-6ddd844 908->910 909->910 910->712 911 6ddd84a-6ddd86b 910->911 914 6ddd86d-6ddd872 911->914 915 6ddd87a-6ddd883 911->915 914->915 915->712 916 6ddd889-6ddd8a6 915->916 916->907 919 6ddd8ac-6ddd8b2 916->919 919->712 920 6ddd8b8-6ddd8d1 919->920 922 6ddd9ed-6ddd9f4 920->922 923 6ddd8d7-6ddd8fe 920->923 922->907 922->919 923->712 926 6ddd904-6ddd90e 923->926 926->712 927 6ddd914-6ddd92b 926->927 929 6ddd92d-6ddd938 927->929 930 6ddd93a-6ddd955 927->930 929->930 930->922 935 6ddd95b-6ddd974 call 6dd6238 930->935 939 6ddd976-6ddd97b 935->939 940 6ddd983-6ddd98c 935->940 939->940 940->712 941 6ddd992-6ddd9e6 940->941 941->922 948->755 949->755
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q
                                                                        • API String ID: 0-182748909
                                                                        • Opcode ID: c2533fcfc3e7b05aa0e2cb22e7c3ef11d3eb954d57281f2bd26b2932f72add84
                                                                        • Instruction ID: 829302dcc97117e26c1f827eed0714c817287aa9cd20ad557eade37321679cd4
                                                                        • Opcode Fuzzy Hash: c2533fcfc3e7b05aa0e2cb22e7c3ef11d3eb954d57281f2bd26b2932f72add84
                                                                        • Instruction Fuzzy Hash: F1620D3060060A8FCB55EF68D690A5DB7F6FF84304B208A79D0499F359DB79ED4ACB81
                                                                        Function 06DD4840 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 950 6dd4840-6dd4864 951 6dd4866-6dd4869 950->951 952 6dd486b-6dd4885 951->952 953 6dd488a-6dd488d 951->953 952->953 954 6dd4f6c-6dd4f6e 953->954 955 6dd4893-6dd498b 953->955 956 6dd4f75-6dd4f78 954->956 957 6dd4f70 954->957 973 6dd4a0e-6dd4a15 955->973 974 6dd4991-6dd49d9 955->974 956->951 959 6dd4f7e-6dd4f8b 956->959 957->956 975 6dd4a99-6dd4aa2 973->975 976 6dd4a1b-6dd4a8b 973->976 995 6dd49de call 6dd50e9 974->995 996 6dd49de call 6dd50f8 974->996 975->959 993 6dd4a8d 976->993 994 6dd4a96 976->994 987 6dd49e4-6dd4a00 990 6dd4a0b 987->990 991 6dd4a02 987->991 990->973 991->990 993->994 994->975 995->987 996->987
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: fbq$XPbq$\Obq
                                                                        • API String ID: 0-4057264190
                                                                        • Opcode ID: 5f808ce20591caf49fc25f43c5b61221a5446695e99f3e4018bb022fde8eba33
                                                                        • Instruction ID: 02a7513077fda3e909a3b4b780ec9334531774a9d727533baff786efd53b2b45
                                                                        • Opcode Fuzzy Hash: 5f808ce20591caf49fc25f43c5b61221a5446695e99f3e4018bb022fde8eba33
                                                                        • Instruction Fuzzy Hash: 94618430F102199FEF54EFA5C854BAEBAF6FF88710F208429D105AB395DB758C468B51
                                                                        Function 06DD8DD9 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1827 6dd8dd9-6dd8e0d 1828 6dd8e0f-6dd8e12 1827->1828 1829 6dd8e38-6dd8e3b 1828->1829 1830 6dd8e14-6dd8e33 1828->1830 1831 6dd96fb-6dd96fd 1829->1831 1832 6dd8e41-6dd8e56 1829->1832 1830->1829 1834 6dd96ff 1831->1834 1835 6dd9704-6dd9707 1831->1835 1838 6dd8e6e-6dd8e84 1832->1838 1839 6dd8e58-6dd8e5e 1832->1839 1834->1835 1835->1828 1837 6dd970d-6dd9717 1835->1837 1844 6dd8e8f-6dd8e91 1838->1844 1841 6dd8e60 1839->1841 1842 6dd8e62-6dd8e64 1839->1842 1841->1838 1842->1838 1845 6dd8ea9-6dd8f1a 1844->1845 1846 6dd8e93-6dd8e99 1844->1846 1857 6dd8f1c-6dd8f3f 1845->1857 1858 6dd8f46-6dd8f62 1845->1858 1847 6dd8e9d-6dd8e9f 1846->1847 1848 6dd8e9b 1846->1848 1847->1845 1848->1845 1857->1858 1863 6dd8f8e-6dd8fa9 1858->1863 1864 6dd8f64-6dd8f87 1858->1864 1869 6dd8fab-6dd8fcd 1863->1869 1870 6dd8fd4-6dd8fef 1863->1870 1864->1863 1869->1870 1875 6dd901a-6dd9024 1870->1875 1876 6dd8ff1-6dd9013 1870->1876 1877 6dd9034-6dd90ae 1875->1877 1878 6dd9026-6dd902f 1875->1878 1876->1875 1884 6dd90fb-6dd9110 1877->1884 1885 6dd90b0-6dd90ce 1877->1885 1878->1837 1884->1831 1889 6dd90ea-6dd90f9 1885->1889 1890 6dd90d0-6dd90df 1885->1890 1889->1884 1889->1885 1890->1889
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q
                                                                        • API String ID: 0-127220927
                                                                        • Opcode ID: a77a056df61207bbe116e74d77041c5ed6648ae15e30cdfff0f37825aca57e97
                                                                        • Instruction ID: d3ddcbebdca8e5fed8474e8c5606eed10af9631aa53e5157ee90dbde6f74af50
                                                                        • Opcode Fuzzy Hash: a77a056df61207bbe116e74d77041c5ed6648ae15e30cdfff0f37825aca57e97
                                                                        • Instruction Fuzzy Hash: 8C513F30B002069FDB95DF79D990B6E73F6FBC8644F108569D409EB394DA35DC068B92
                                                                        Function 06DD4831 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1931 6dd4831-6dd4864 1932 6dd4866-6dd4869 1931->1932 1933 6dd486b-6dd4885 1932->1933 1934 6dd488a-6dd488d 1932->1934 1933->1934 1935 6dd4f6c-6dd4f6e 1934->1935 1936 6dd4893-6dd498b 1934->1936 1937 6dd4f75-6dd4f78 1935->1937 1938 6dd4f70 1935->1938 1954 6dd4a0e-6dd4a15 1936->1954 1955 6dd4991-6dd49d9 1936->1955 1937->1932 1940 6dd4f7e-6dd4f8b 1937->1940 1938->1937 1956 6dd4a99-6dd4aa2 1954->1956 1957 6dd4a1b-6dd4a8b 1954->1957 1976 6dd49de call 6dd50e9 1955->1976 1977 6dd49de call 6dd50f8 1955->1977 1956->1940 1974 6dd4a8d 1957->1974 1975 6dd4a96 1957->1975 1968 6dd49e4-6dd4a00 1971 6dd4a0b 1968->1971 1972 6dd4a02 1968->1972 1971->1954 1972->1971 1974->1975 1975->1956 1976->1968 1977->1968
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: fbq$XPbq
                                                                        • API String ID: 0-2292610095
                                                                        • Opcode ID: e64a20982fea697fc0d4013a0a576d60d0bec62d744ed32ece7e5fe01bc9470e
                                                                        • Instruction ID: cdbc5f6a474a02b8f462743f5acba2379cde86d661817cd6645764ef31aecf65
                                                                        • Opcode Fuzzy Hash: e64a20982fea697fc0d4013a0a576d60d0bec62d744ed32ece7e5fe01bc9470e
                                                                        • Instruction Fuzzy Hash: 32519370F102199FDB54EFE5C854BAEBBF6FF88700F208529D106AB395DA758C068B91
                                                                        Function 06DC6C2F Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1978 6dc6c2f-6dc6c32 1979 6dc6c3a-6dc6c9e 1978->1979 1980 6dc6c34-6dc6c39 1978->1980 1981 6dc6ca9-6dc6cb0 1979->1981 1982 6dc6ca0-6dc6ca6 1979->1982 1980->1979 1983 6dc6cbb-6dc6cf3 1981->1983 1984 6dc6cb2-6dc6cb8 1981->1984 1982->1981 1985 6dc6cfb-6dc6d5a CreateWindowExW 1983->1985 1984->1983 1986 6dc6d5c-6dc6d62 1985->1986 1987 6dc6d63-6dc6d9b 1985->1987 1986->1987 1991 6dc6d9d-6dc6da0 1987->1991 1992 6dc6da8 1987->1992 1991->1992 1993 6dc6da9 1992->1993 1993->1993
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DC6D4A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: 87a4bc9ebf4c2f83f19801c9e0bc66ecdcbb1be6658df0851a327126ea70bbea
                                                                        • Instruction ID: 288bdf538b2cca1d5586fe3ee8408923167398e908d48e6208cd9586216eb28f
                                                                        • Opcode Fuzzy Hash: 87a4bc9ebf4c2f83f19801c9e0bc66ecdcbb1be6658df0851a327126ea70bbea
                                                                        • Instruction Fuzzy Hash: 7C51CFB5D003499FDB14CF99C984ADEBFB5FF88310F24812AE919AB210D7759886CF90
                                                                        Function 06DC6C38 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 1994 6dc6c38-6dc6c9e 1995 6dc6ca9-6dc6cb0 1994->1995 1996 6dc6ca0-6dc6ca6 1994->1996 1997 6dc6cbb-6dc6d5a CreateWindowExW 1995->1997 1998 6dc6cb2-6dc6cb8 1995->1998 1996->1995 2000 6dc6d5c-6dc6d62 1997->2000 2001 6dc6d63-6dc6d9b 1997->2001 1998->1997 2000->2001 2005 6dc6d9d-6dc6da0 2001->2005 2006 6dc6da8 2001->2006 2005->2006 2007 6dc6da9 2006->2007 2007->2007
                                                                        APIs
                                                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06DC6D4A
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: CreateWindow
                                                                        • String ID:
                                                                        • API String ID: 716092398-0
                                                                        • Opcode ID: b2447f7470e8911b0534c33b445afaba5aeabc654b1daf72de5b4ad9a5617c88
                                                                        • Instruction ID: e78fe644298c446488b3fc9599d347124ffc9e024ee81a1ee5289a0f272481a8
                                                                        • Opcode Fuzzy Hash: b2447f7470e8911b0534c33b445afaba5aeabc654b1daf72de5b4ad9a5617c88
                                                                        • Instruction Fuzzy Hash: 4041A0B1D003499FDB14CF99C984ADEBBB5FF88310F24812AE519AB210D775A885CF90
                                                                        Function 06DCA434 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                        Download Yara Rule

                                                                        Control-flow Graph

                                                                        • Executed
                                                                        • Not Executed
                                                                        control_flow_graph 2008 6dca434-6dcb74c 2011 6dcb7fc-6dcb81c call 6dc5a04 2008->2011 2012 6dcb752-6dcb757 2008->2012 2019 6dcb81f-6dcb82c 2011->2019 2014 6dcb759-6dcb790 2012->2014 2015 6dcb7aa-6dcb7e2 CallWindowProcW 2012->2015 2021 6dcb799-6dcb7a8 2014->2021 2022 6dcb792-6dcb798 2014->2022 2017 6dcb7eb-6dcb7fa 2015->2017 2018 6dcb7e4-6dcb7ea 2015->2018 2017->2019 2018->2017 2021->2019 2022->2021
                                                                        APIs
                                                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 06DCB7D1
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: CallProcWindow
                                                                        • String ID:
                                                                        • API String ID: 2714655100-0
                                                                        • Opcode ID: 5c9a17e0defff4ff31e80f7211feed11e0ae994c715bc75f1d9feefe3e70279a
                                                                        • Instruction ID: b302afb8ac630ff862dc63c2f01c22771e5d70066ba81480f17c129f1ae2df8a
                                                                        • Opcode Fuzzy Hash: 5c9a17e0defff4ff31e80f7211feed11e0ae994c715bc75f1d9feefe3e70279a
                                                                        • Instruction Fuzzy Hash: 65412AB4D003098FDB54CF99C489AAABBF5FF88324F24C459E519AB361D735E841CBA0
                                                                        Function 06DCC44C Relevance: 1.6, APIs: 1, Instructions: 77comclipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard
                                                                        • String ID:
                                                                        • API String ID: 220874293-0
                                                                        • Opcode ID: 84e5489550b970d8d131cd58eeab1b6999fdda6ef3405a9e858492ca26f478d5
                                                                        • Instruction ID: 7ae5abba608510d55883eede2960394c0064d099f7ed80ff06a7f1195b46c5d9
                                                                        • Opcode Fuzzy Hash: 84e5489550b970d8d131cd58eeab1b6999fdda6ef3405a9e858492ca26f478d5
                                                                        • Instruction Fuzzy Hash: 003130B0D1120DDFDB50CFA8C984BDEBBF5AF48314F248029E108AB390D774A845CBA5
                                                                        Function 06DCC458 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: Clipboard
                                                                        • String ID:
                                                                        • API String ID: 220874293-0
                                                                        • Opcode ID: e64dcc116cae5c0eeb2bd22b071636c774b45d37897c3894c24008a60a84cae5
                                                                        • Instruction ID: 95faca6829cf5bf371c2bdc53837e7202cb80ce0eedf3c620309d7d5e71da395
                                                                        • Opcode Fuzzy Hash: e64dcc116cae5c0eeb2bd22b071636c774b45d37897c3894c24008a60a84cae5
                                                                        • Instruction Fuzzy Hash: 6F3131B0D1120DDFDB50CF99C984B9DBBF5AF48314F248019E508AB390D774A944CBA4
                                                                        Function 01357E81 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 01357EFF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530467685.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1350000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: 2448a06d0ebaedcf8ce576b512d3c2ddcf6a736a0707eb7c87f06b647dbc5cc3
                                                                        • Instruction ID: 50519315d67f398a82775408467098e36abf8dbd5d2d422a715b9fafe527928b
                                                                        • Opcode Fuzzy Hash: 2448a06d0ebaedcf8ce576b512d3c2ddcf6a736a0707eb7c87f06b647dbc5cc3
                                                                        • Instruction Fuzzy Hash: 1F2166B18002598FCB10CFAAC484BEEFFF4AF49314F14845AE958A3351D738A944CFA0
                                                                        Function 06DCA878 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DCA907
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 51ca2a2cfc596f1e39dec72fd94eb38ac77f6bf2395584b3e03d4fe45ae5d925
                                                                        • Instruction ID: a680e48ab1f3e7a468e3feb6387f76ec07bf40fa3114dd0a30323d515eae091e
                                                                        • Opcode Fuzzy Hash: 51ca2a2cfc596f1e39dec72fd94eb38ac77f6bf2395584b3e03d4fe45ae5d925
                                                                        • Instruction Fuzzy Hash: 3121E5B59002499FDB10CF9AD584ADEBFF9FF48310F14841AE954A3310D379A940CFA5
                                                                        Function 01357E88 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 01357EFF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530467685.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1350000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: CheckDebuggerPresentRemote
                                                                        • String ID:
                                                                        • API String ID: 3662101638-0
                                                                        • Opcode ID: aa41dedb8d36ed040465de155a7a46f733bd56a277a9005c7238f7a32f6d3b11
                                                                        • Instruction ID: 6f015bd9c73b232fe94f4007c6b4600487acaf697a09f4b435f63aaab23b08ac
                                                                        • Opcode Fuzzy Hash: aa41dedb8d36ed040465de155a7a46f733bd56a277a9005c7238f7a32f6d3b11
                                                                        • Instruction Fuzzy Hash: D12137B18002598FCB10CF9AD484BEEFBF4EF49314F14845AE959A3350D778A944CFA5
                                                                        Function 06DCA880 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06DCA907
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: DuplicateHandle
                                                                        • String ID:
                                                                        • API String ID: 3793708945-0
                                                                        • Opcode ID: 834e73ff7679a177f429b7dc570344fe7a0c8d4fd9f99a39b4e31fd62a49c194
                                                                        • Instruction ID: a8c48da8c3da82c21249ee48e94c367ce50c343cec63ca4e0071e2726445576f
                                                                        • Opcode Fuzzy Hash: 834e73ff7679a177f429b7dc570344fe7a0c8d4fd9f99a39b4e31fd62a49c194
                                                                        • Instruction Fuzzy Hash: F821C4B590024D9FDB10CF9AD984ADEBBF9FB48320F14841AE958A3350D379A944CFA5
                                                                        Function 06DCDE41 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06DCDEC3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: HookWindows
                                                                        • String ID:
                                                                        • API String ID: 2559412058-0
                                                                        • Opcode ID: 78cf27d7dd55e32294c11c6ba7aae26e1dbd9835f9279760e103de6e52fbab8b
                                                                        • Instruction ID: 821b9be479c9a7df20e9e84501c640769de498124484e4040d046edf82f892a5
                                                                        • Opcode Fuzzy Hash: 78cf27d7dd55e32294c11c6ba7aae26e1dbd9835f9279760e103de6e52fbab8b
                                                                        • Instruction Fuzzy Hash: C221F5B59002098FCB54DF99C844ADEFBF5EF88320F148429D569A7290CB749945CFA1
                                                                        Function 06DCDE48 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06DCDEC3
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: HookWindows
                                                                        • String ID:
                                                                        • API String ID: 2559412058-0
                                                                        • Opcode ID: 3d0093638e24064e2d02fbe9664cceabcc336a773eff8026c402cd4fed99075a
                                                                        • Instruction ID: e52faf5da4b353a853ad573a1dfd664f95202dcb7bd775c573a324a282792b58
                                                                        • Opcode Fuzzy Hash: 3d0093638e24064e2d02fbe9664cceabcc336a773eff8026c402cd4fed99075a
                                                                        • Instruction Fuzzy Hash: EE2102B59002098FCB54DF9AC844BEEFBF9AF88320F14842AE559A7250C774A941CFA1
                                                                        Function 06DC5788 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 06DC57F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: e3e14853a10361f42d80f23ff00a4e1b713a4c89e4a2caf2979ffb1d8613fb4c
                                                                        • Instruction ID: 8bb867c4d551d8dd834d22d2ea28c9cd6d9db8ca747b5057b1480c6811fcad12
                                                                        • Opcode Fuzzy Hash: e3e14853a10361f42d80f23ff00a4e1b713a4c89e4a2caf2979ffb1d8613fb4c
                                                                        • Instruction Fuzzy Hash: BF111FB5C002498ECB10DF9AD448ADEFBF8EF89320F10852AD919A3650C379A585CFA4
                                                                        Function 0135F388 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GlobalMemoryStatusEx.KERNEL32 ref: 0135F3EF
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530467685.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_1350000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: GlobalMemoryStatus
                                                                        • String ID:
                                                                        • API String ID: 1890195054-0
                                                                        • Opcode ID: 1233783db5e2ac1e07063d2e8a6f30fdbe416f27f4597842136845c0347b3e53
                                                                        • Instruction ID: 9eb99ca1e70f6a2d1e9c2db89c14e1cb37ba31c401248216574a1d6cc2a165b5
                                                                        • Opcode Fuzzy Hash: 1233783db5e2ac1e07063d2e8a6f30fdbe416f27f4597842136845c0347b3e53
                                                                        • Instruction Fuzzy Hash: AA111FB1C0065A9BCB10DF9AC544A9EFBF8EF48320F14812AE918A7240D378A944CFA5
                                                                        Function 06DC414C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 06DC57F6
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: HandleModule
                                                                        • String ID:
                                                                        • API String ID: 4139908857-0
                                                                        • Opcode ID: b7097e97e497cfecf1ff769a4c3fea34fcfc12a012c0651bc8b90d6fc870b0e8
                                                                        • Instruction ID: 0921be3ed563ccf0eb57b9d36fc740b39efd15a2b23c03ac42f1f1b00a8f842a
                                                                        • Opcode Fuzzy Hash: b7097e97e497cfecf1ff769a4c3fea34fcfc12a012c0651bc8b90d6fc870b0e8
                                                                        • Instruction Fuzzy Hash: 1B1120B5C00349CFCB10DF9AD448A9EFBF8EF89220F10802AD928B7200C379A545CFA4
                                                                        Function 06DCC309 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 06DCC365
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID:
                                                                        • API String ID: 2538663250-0
                                                                        • Opcode ID: 18354a3b779a96cb5bc4229e2a07764a16b05110d4e07fcebcde406c1d0ba85b
                                                                        • Instruction ID: 6ed04f82865c21b116d60cfa34cd070b6552821635b5fe4549aef8bafea77476
                                                                        • Opcode Fuzzy Hash: 18354a3b779a96cb5bc4229e2a07764a16b05110d4e07fcebcde406c1d0ba85b
                                                                        • Instruction Fuzzy Hash: 281103B19003498FCB20DF9AD548BDEFBF8EB49324F248419E658A3610D379A544CFA5
                                                                        Function 06DCA48C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06DCBA1D), ref: 06DCBAA7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: 9ba97f135e6c8cd1743019f6cbd69508cf711f34c079c694a09f09f627ca1fb8
                                                                        • Instruction ID: e5f31c0838fc2436159cdabeb658223120c477aff57fe3aeaaec4d33c5257668
                                                                        • Opcode Fuzzy Hash: 9ba97f135e6c8cd1743019f6cbd69508cf711f34c079c694a09f09f627ca1fb8
                                                                        • Instruction Fuzzy Hash: AF1103B1800249CFCB60DF9AD445BDEBBF4EB89320F20845AD559A7350C379A944CFA5
                                                                        Function 06DCBD2C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • OleInitialize.OLE32(00000000), ref: 06DCC365
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: Initialize
                                                                        • String ID:
                                                                        • API String ID: 2538663250-0
                                                                        • Opcode ID: 6dfb5bb4b47caaab3408e0f5bdeaaa63d95978d581a02e4d82ee53c3ca08983e
                                                                        • Instruction ID: 9a94201a3c3112a36dfae2cb3504fda912addf2d3561303fbfdaa68257420d57
                                                                        • Opcode Fuzzy Hash: 6dfb5bb4b47caaab3408e0f5bdeaaa63d95978d581a02e4d82ee53c3ca08983e
                                                                        • Instruction Fuzzy Hash: 441112B19043498FCB60DF9AD548B9EFBF8EB49324F248459E618A7310C379A944CFA5
                                                                        Function 06DCBA40 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                        Download Yara Rule
                                                                        APIs
                                                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06DCBA1D), ref: 06DCBAA7
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID: CallbackDispatcherUser
                                                                        • String ID:
                                                                        • API String ID: 2492992576-0
                                                                        • Opcode ID: 0b0b614f3edbe2a1b736d948dcd31ec28135a6e0fe8410354e5aaa3810b27cfa
                                                                        • Instruction ID: 299855fbef5eff5d2ad3c9b4b0f3f85b8da6ce0bcee8e0aa08410ebc94712ece
                                                                        • Opcode Fuzzy Hash: 0b0b614f3edbe2a1b736d948dcd31ec28135a6e0fe8410354e5aaa3810b27cfa
                                                                        • Instruction Fuzzy Hash: 3A1103B18002498FCB20DF9AD445B9EFBF4EF89324F20845AD558A7350C379A544CFA5
                                                                        Function 06DDDB6D Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PH]q
                                                                        • API String ID: 0-3168235125
                                                                        • Opcode ID: fc6bd0be58171a3fb52cf8a7000569cdbc8f46048ca0194da462ddafcab6d4e7
                                                                        • Instruction ID: f8bd5532b3632854f54e0e50eab3056708d1d35500ab56be22a76e3aacecfd50
                                                                        • Opcode Fuzzy Hash: fc6bd0be58171a3fb52cf8a7000569cdbc8f46048ca0194da462ddafcab6d4e7
                                                                        • Instruction Fuzzy Hash: E541B470E103059BDF65EF68D98469EBBB3FF89300F104929E405E7244EB74D846CB91
                                                                        Function 06DDDB80 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PH]q
                                                                        • API String ID: 0-3168235125
                                                                        • Opcode ID: a33e74c6ce92674eae07a267c6e03b88d8c263499cbb14e11a913f15467839de
                                                                        • Instruction ID: eb95edddd9412f8375c9bd878d80829fa71b84c166369f3dc4388fa2cb109a2d
                                                                        • Opcode Fuzzy Hash: a33e74c6ce92674eae07a267c6e03b88d8c263499cbb14e11a913f15467839de
                                                                        • Instruction Fuzzy Hash: 7E418270E103099BDF65EF69D99465EBBB3FF89300F204929D405D7244EB74D846CB81
                                                                        Function 06DD2299 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PH]q
                                                                        • API String ID: 0-3168235125
                                                                        • Opcode ID: 06e5e99fe69e024f78a6ff57fd91b4150836ef566c25552cc3b2b96dd624b8db
                                                                        • Instruction ID: c9983c872a1823a908659fc809a67c49ef399b8e0f12debe236227c68c8880f6
                                                                        • Opcode Fuzzy Hash: 06e5e99fe69e024f78a6ff57fd91b4150836ef566c25552cc3b2b96dd624b8db
                                                                        • Instruction Fuzzy Hash: 9631FE30B102028FDB59AF74E99462E3BA2AB89700F14487CD502EB385DF39DD06DBA1
                                                                        Function 06DD22A8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: PH]q
                                                                        • API String ID: 0-3168235125
                                                                        • Opcode ID: d8f0d3492b2785d9545057f713a2884be55725d6009db63cc26d591bd5477049
                                                                        • Instruction ID: 3a92eb56924cbfb3d558ae5e3cbcd037b0ed29f0bc85beee511c1bd8cd7b390f
                                                                        • Opcode Fuzzy Hash: d8f0d3492b2785d9545057f713a2884be55725d6009db63cc26d591bd5477049
                                                                        • Instruction Fuzzy Hash: 5F31CD30B002058FDB59AB74E99466F3BA6EB89740F20483CD506DB384DE39CD06DBA5
                                                                        Function 06DDFEC0 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: |
                                                                        • API String ID: 0-2343686810
                                                                        • Opcode ID: c20173ee64af34e02f0635a76928d8cc413e59199fe0ea0366fbbfbdb0782aec
                                                                        • Instruction ID: bcbcd8ee0df3225ca856f47152cd31643d8bbb84ddff1103c20126e507e7c40d
                                                                        • Opcode Fuzzy Hash: c20173ee64af34e02f0635a76928d8cc413e59199fe0ea0366fbbfbdb0782aec
                                                                        • Instruction Fuzzy Hash: 12118170B102159FDB54EB78C805BAE7BF1AF88714F1084AEE54AE7360EB359D01CB91
                                                                        Function 06DDFED0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: |
                                                                        • API String ID: 0-2343686810
                                                                        • Opcode ID: 84ec990055945a62c0e59b6b9998760cc29be9f99a3a518fd231fc1330dd79d5
                                                                        • Instruction ID: 46d764a53f781486088cb46e285ba1680a60bf8dc73de629f147e81a6881a2e9
                                                                        • Opcode Fuzzy Hash: 84ec990055945a62c0e59b6b9998760cc29be9f99a3a518fd231fc1330dd79d5
                                                                        • Instruction Fuzzy Hash: E1115B70B102149FDB94EB78C805B6E7BF5AF48700F108469E54AE73A0EA359D01CB90
                                                                        Function 06DDAEC0 Relevance: .3, Instructions: 294COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 82e1303dbecc83639f4d61fcb3160a734cc69d3e9010bd92beb5777bda463002
                                                                        • Instruction ID: 5c421c0e6775f1f07265d49d91ddfbb7a3dc40028d9b560029ddcc4bfa1b0f1b
                                                                        • Opcode Fuzzy Hash: 82e1303dbecc83639f4d61fcb3160a734cc69d3e9010bd92beb5777bda463002
                                                                        • Instruction Fuzzy Hash: DEA1B4B0F001098FEF64EBADD9807BEB6B6EB89714F218826E405E7395CA39DC418751
                                                                        Function 06DDC220 Relevance: .3, Instructions: 284COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 73977fa34f77ad8cf8440a86f78bb2a77ff93691207ab557920c9ac6aba775f5
                                                                        • Instruction ID: 9c9b7ff97e5097701d2934952feb3727e5e6252846b06cf14d9d12fbbb118ccf
                                                                        • Opcode Fuzzy Hash: 73977fa34f77ad8cf8440a86f78bb2a77ff93691207ab557920c9ac6aba775f5
                                                                        • Instruction Fuzzy Hash: 6DB16270E201098FDF64EFA8D990BADBBBAFB48314F104425E445EB395DA38DC46CB91
                                                                        Function 06DDB2E1 Relevance: .3, Instructions: 268COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 0fe12d3533f9fda425672baa10d98f4819721489ffdc8379185cf8e198d4bb82
                                                                        • Instruction ID: 8220a40924fc5c8714f7d41ed164cab931cef99dcbdf1c4d3ac93af4217914b3
                                                                        • Opcode Fuzzy Hash: 0fe12d3533f9fda425672baa10d98f4819721489ffdc8379185cf8e198d4bb82
                                                                        • Instruction Fuzzy Hash: 10A15CB0E102098FDF64EF58D580BADB7B1EB49318F16896AE415EF391DA34DC81CB91
                                                                        Function 06DD5E88 Relevance: .2, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 37e051d457573d630defb0b77a455cb1ddb3f474c0e3cd9c85336b8290c384cb
                                                                        • Instruction ID: 6eb4ff8251b9371a73b1532338b8133841335c7fce63883b202538b203437f5f
                                                                        • Opcode Fuzzy Hash: 37e051d457573d630defb0b77a455cb1ddb3f474c0e3cd9c85336b8290c384cb
                                                                        • Instruction Fuzzy Hash: 19619071F000114FDB54AB7AD880A6FBADBAF94220F154479E80EDB364DE79DD0287D2
                                                                        Function 06DD3F71 Relevance: .2, Instructions: 221COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 091f25021bd2eb8b3dfe8074a1bcab79705e391eeb48e870c54c50bb8716ba00
                                                                        • Instruction ID: 7640495c561d8053aaa9c1a4fae4212651d5cec16db1d56d94ffe7ecfe534606
                                                                        • Opcode Fuzzy Hash: 091f25021bd2eb8b3dfe8074a1bcab79705e391eeb48e870c54c50bb8716ba00
                                                                        • Instruction Fuzzy Hash: 7B812B30B1020A8BDF54EFA5D8547AEBBF2EF89314F118529D40AEB394DB35DC468B52
                                                                        Function 06DD3F80 Relevance: .2, Instructions: 218COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ae67a701fbf9dab450dee81f24cdffe8776dc2e876187d92fabc700954b0bd2c
                                                                        • Instruction ID: e05c8f46c80134961a5c2742edfe18908fb52f166c81f32cd159f72381a44d22
                                                                        • Opcode Fuzzy Hash: ae67a701fbf9dab450dee81f24cdffe8776dc2e876187d92fabc700954b0bd2c
                                                                        • Instruction Fuzzy Hash: 77811B30B1020A8BDF54EFA9D85476EBBF2EB89314F118529D40AEB394DB35DC468B52
                                                                        Function 06DD4294 Relevance: .2, Instructions: 215COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 31a77c9714c82ad42650effbdef83604ed25f277be60b09a2f0235def8b924f1
                                                                        • Instruction ID: ea3fb31bc8b74f427f7fad1c19c095f80fe595f643156c8e0a023ac9c3791441
                                                                        • Opcode Fuzzy Hash: 31a77c9714c82ad42650effbdef83604ed25f277be60b09a2f0235def8b924f1
                                                                        • Instruction Fuzzy Hash: 7B914D30E102198FDF60DF68C890B9DB7B1FF89314F208599D449AB295DB70AA86CF91
                                                                        Function 06DD42A8 Relevance: .2, Instructions: 210COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: ece1e166949dd8e0ca36f1b112f48c02fed3ca22803a48c673d9ee78b5581502
                                                                        • Instruction ID: 1494c8a947ec236471059262497dd88974687f19b54012b0b092cc847660a294
                                                                        • Opcode Fuzzy Hash: ece1e166949dd8e0ca36f1b112f48c02fed3ca22803a48c673d9ee78b5581502
                                                                        • Instruction Fuzzy Hash: 68913D30E1021A8BDF60DF68C890B9DB7B1FF89314F208599D50DBB295DB70AA85CF91
                                                                        Function 06DDEBC8 Relevance: .2, Instructions: 206COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6166ede5f2e1ee7b5c7d5a93ed3405d217f00dec45ebec792608825be51dea12
                                                                        • Instruction ID: 4f23a7094af296eba3dee0dc63e14224af9552fcf03673946733fc454161070e
                                                                        • Opcode Fuzzy Hash: 6166ede5f2e1ee7b5c7d5a93ed3405d217f00dec45ebec792608825be51dea12
                                                                        • Instruction Fuzzy Hash: FC713D30A002099FDB54EFA9D990AADBBF6FF84304F148529D409EB355DB34ED46CB50
                                                                        Function 06DDEBD8 Relevance: .2, Instructions: 201COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f96ff1e8b2be33d4af08f80036b4c194d74522b9df6ff4b06059e2d839f84538
                                                                        • Instruction ID: 5332ed31abb62993e584e85dfe1a3357292aca327aa4fc11ab3112367000ba32
                                                                        • Opcode Fuzzy Hash: f96ff1e8b2be33d4af08f80036b4c194d74522b9df6ff4b06059e2d839f84538
                                                                        • Instruction Fuzzy Hash: 4B711A30A002499FDB54EFA9D990AAEBBF6FF84304F248429D409EB355DB34ED46CB50
                                                                        Function 06DDFC70 Relevance: .2, Instructions: 171COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2887bc601f537b515aa3f94c230351bd7f033ea39cf8ceea74d02e535a577f07
                                                                        • Instruction ID: c0fc87eb484e9c80f4373ee1307d9a70cc3eadf358089c5eb01cea07991faed3
                                                                        • Opcode Fuzzy Hash: 2887bc601f537b515aa3f94c230351bd7f033ea39cf8ceea74d02e535a577f07
                                                                        • Instruction Fuzzy Hash: DA51C131E00109DFDB24BBB8E4886ADBBB2FF88315F108879E50AD7351DB359956CB80
                                                                        Function 06DDF608 Relevance: .2, Instructions: 170COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b001cf4a3792bfd1cdc572a092887e4427356a7a1340e8a2d01f4fbc128222d1
                                                                        • Instruction ID: 54f66faf81c8cb2cdc2c7e19f8bca46993a37e1d83eb60244993376902a045ad
                                                                        • Opcode Fuzzy Hash: b001cf4a3792bfd1cdc572a092887e4427356a7a1340e8a2d01f4fbc128222d1
                                                                        • Instruction Fuzzy Hash: DD51C4B4F10214ABEF607B6DE94476F2A5EEB89710F204839E40BD77A5C96DCC4583D2
                                                                        Function 06DDF618 Relevance: .2, Instructions: 163COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5853d8049131091364b86b4803adad2652c10d0675fa880fb14bfdf3605fcd22
                                                                        • Instruction ID: 52022b3bd445891bd99617afeb7b4be66a91c1fc00a1af9d14283fe75e591f58
                                                                        • Opcode Fuzzy Hash: 5853d8049131091364b86b4803adad2652c10d0675fa880fb14bfdf3605fcd22
                                                                        • Instruction Fuzzy Hash: 6051B0B0F10214ABEFA07B6DE98477F265EEB88710F204839E40BD37A5C96CCC458392
                                                                        Function 06DD50F8 Relevance: .1, Instructions: 126COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a201a5cad3339156f2fd4e4ea3f9eb1b96d545c4d99250e5f74925443f93bc57
                                                                        • Instruction ID: b0a2f9dee6856a80f54d2b670fcf609a398468a7d7966b06f4c0cc5c35467327
                                                                        • Opcode Fuzzy Hash: a201a5cad3339156f2fd4e4ea3f9eb1b96d545c4d99250e5f74925443f93bc57
                                                                        • Instruction Fuzzy Hash: 8C418A71E006098BDB70DFA9E8C0AAFFBF5FB94314F10492AE216D7610D731E9498B90
                                                                        Function 06DDDA20 Relevance: .1, Instructions: 103COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: f34b0dfa178787cd5800808a75f2fa71bd549c5748e839fc0d01b97c1a41f121
                                                                        • Instruction ID: 6f761bff9b03e3fb3024e5af907e5f9187681353cd2bfde4b3e7844faa1eb5f9
                                                                        • Opcode Fuzzy Hash: f34b0dfa178787cd5800808a75f2fa71bd549c5748e839fc0d01b97c1a41f121
                                                                        • Instruction Fuzzy Hash: 2231A630E1430A9BDF25EFA4D980A9EB7B6FF85304F108529E405EB344EB74E946CB91
                                                                        Function 06DD2159 Relevance: .1, Instructions: 102COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 6ec0896ca584302ebc3e4fa3e3059913849bc8cf433147d51ebac4f4766fe0de
                                                                        • Instruction ID: a07d68341f6bd0f5b9ff077518f5342c4ca735070169c2c4202bb2221d37b58d
                                                                        • Opcode Fuzzy Hash: 6ec0896ca584302ebc3e4fa3e3059913849bc8cf433147d51ebac4f4766fe0de
                                                                        • Instruction Fuzzy Hash: FE318334F102099BCF59DFA4C9546AEBBB2BF89300F11C52AE915E7750DB31AD46CB41
                                                                        Function 06DD50E9 Relevance: .1, Instructions: 96COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a817ae5d4f2b873ce1599c65b4076d2da4507b426d41a363c68aa2140de84005
                                                                        • Instruction ID: 4d61d11473da736124525deb901d270d8986eec4258dc0d8752d237a5907bdc8
                                                                        • Opcode Fuzzy Hash: a817ae5d4f2b873ce1599c65b4076d2da4507b426d41a363c68aa2140de84005
                                                                        • Instruction Fuzzy Hash: FC31AE31E006058FCB70DFA9DCC0AAFBBF6FB95310F104A2AD156D7650D730A9498B91
                                                                        Function 06DD2168 Relevance: .1, Instructions: 91COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c025bf51c11f36e687537a0b76c23bfdd0d23ef886c212f89624a635d5f24d68
                                                                        • Instruction ID: 1c59f8f38c8d834778d4040ddc50c42d3b6aefa50a2b8d8636bf0c0862d76356
                                                                        • Opcode Fuzzy Hash: c025bf51c11f36e687537a0b76c23bfdd0d23ef886c212f89624a635d5f24d68
                                                                        • Instruction Fuzzy Hash: 3A315030E1020A9BCF55DFA4D85469EBBB2FF89314F10C529E915E7350DB71AD46CB41
                                                                        Function 06DD3B78 Relevance: .1, Instructions: 83COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: fa5ec1770202a1134dbf15053545219b88c4763cf94f777a954288098d31d130
                                                                        • Instruction ID: 435bc9bea9d72a80d722d9bb32f3f0736e09146923d76f1ddc957ea242ee0bcc
                                                                        • Opcode Fuzzy Hash: fa5ec1770202a1134dbf15053545219b88c4763cf94f777a954288098d31d130
                                                                        • Instruction Fuzzy Hash: 3621BF75E012159FDF50DFB9E881AADBBF5EB48610F048025E809FB380E739DD018B91
                                                                        Function 06DD3B88 Relevance: .1, Instructions: 78COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 740a0d2bb52ae3c1435e4cad240a3dcba571075a21f72c1e4e34f59f02b83b53
                                                                        • Instruction ID: aa54bf06b8c54cb4bbe07eec6c9f813544b86837c1c9a5fc334dbb0967da4e68
                                                                        • Opcode Fuzzy Hash: 740a0d2bb52ae3c1435e4cad240a3dcba571075a21f72c1e4e34f59f02b83b53
                                                                        • Instruction Fuzzy Hash: 1E217C75E016159FDB50DFA9D880AAEBBF5EB48710F118029E909EB380E739DD018B92
                                                                        Function 06DD6998 Relevance: .1, Instructions: 74COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5813c54aa51032210ee94b427259ac5e111ee7f84babe53c176ef6e4dc3f7c52
                                                                        • Instruction ID: 7a2f274561edd5374c602b70bc8a7ef4aa45785fba30dc444c7d66cada189776
                                                                        • Opcode Fuzzy Hash: 5813c54aa51032210ee94b427259ac5e111ee7f84babe53c176ef6e4dc3f7c52
                                                                        • Instruction Fuzzy Hash: 5A21F331B100559BDF94EFA8E954AADB7F6EB84310F108139E445EB341EB34DD468BC1
                                                                        Function 012AD030 Relevance: .1, Instructions: 72COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530279777.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_12ad000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 529bb98f882967fbd1dff2664b8d9d28a238cea238fb3e3c7d506e5bc5c27c11
                                                                        • Instruction ID: 5838adf6f06723b7a721a9c500cc4c47b6930b4ac70464ab1f08fb08f478e1ea
                                                                        • Opcode Fuzzy Hash: 529bb98f882967fbd1dff2664b8d9d28a238cea238fb3e3c7d506e5bc5c27c11
                                                                        • Instruction Fuzzy Hash: DC2142701A4208DFCB11DFA8C980B26BFA5FB88314F60C56DDA090B652C37AD806CA62
                                                                        Function 06DDFC61 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 906e1a870c131a669a87e6368e6edc21a28ba5548dc48d88e5f5ff6727ab7ca1
                                                                        • Instruction ID: 0b1a10fe2485f2fde098396ae7b851b85092e4306e3664fc80122a7ae72fa523
                                                                        • Opcode Fuzzy Hash: 906e1a870c131a669a87e6368e6edc21a28ba5548dc48d88e5f5ff6727ab7ca1
                                                                        • Instruction Fuzzy Hash: F9215E30B011159FDB64EB78D59966E76B2EF88700F204839E807EB394DA349C42CB80
                                                                        Function 06DD69A8 Relevance: .1, Instructions: 68COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 4b2143863513c1249a4433a66b4e13961d471d5e53a9532c2acbcea9fcc55fbe
                                                                        • Instruction ID: b6ff5335cdb40fd0f65616a005d0dab70bf78fc873ac96c2c673ae4db1489de9
                                                                        • Opcode Fuzzy Hash: 4b2143863513c1249a4433a66b4e13961d471d5e53a9532c2acbcea9fcc55fbe
                                                                        • Instruction Fuzzy Hash: 9C21A231B101549BDF54EBA8E950A9DB7F6EB84314F108039D405EB341DB34DC458BC1
                                                                        Function 06DD3138 Relevance: .1, Instructions: 63COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 31ef86b9bea0446d3353bc8241eb0765752981b48176d354d35c1883d23a2409
                                                                        • Instruction ID: d7ed6c19b3f1ec59bcf354b8d05b29a9e5defbc637fc0db374cab33be377d749
                                                                        • Opcode Fuzzy Hash: 31ef86b9bea0446d3353bc8241eb0765752981b48176d354d35c1883d23a2409
                                                                        • Instruction Fuzzy Hash: 71118E71F002199BCF58EB69DC806DEF7B5EB8A310F11897AD40AE7244DA35DA41CB92
                                                                        Function 06DD3C98 Relevance: .1, Instructions: 59COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e76e522ec07b7655a2b8dbed378514af573d310df128eec537f2bd5bf9ad0221
                                                                        • Instruction ID: 1cf4483bbfe5ec0da567f3758659b3dd8b088d03cf2148c3b6be40715696545d
                                                                        • Opcode Fuzzy Hash: e76e522ec07b7655a2b8dbed378514af573d310df128eec537f2bd5bf9ad0221
                                                                        • Instruction Fuzzy Hash: 2C11A132B101285FDF54AB69DC146AE73FAEBC9610F018539D40AEB344DE25DC068BD2
                                                                        Function 06DDEE49 Relevance: .1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: d810cdda862fdb27c0feacff0d5e00f110326cb37c94f084f856c9111064054a
                                                                        • Instruction ID: 95b813e859960897826d0cdaef496affc28d1c22a6d22c9c17cfa234a0ec6e98
                                                                        • Opcode Fuzzy Hash: d810cdda862fdb27c0feacff0d5e00f110326cb37c94f084f856c9111064054a
                                                                        • Instruction Fuzzy Hash: 6501D435B105104BCB66A678AD9476E67DADBCAB21F10883AE40ECB341E925CD078792
                                                                        Function 06DD9F98 Relevance: .1, Instructions: 58COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: b0b1340e0995a54ca1cf128b8a46e67a2d5cb5e17e9389d32643d148b552a035
                                                                        • Instruction ID: e9cffa1961e96fe052cb7b63ec98e5f13d67c94c46648bef4419220c567beaa1
                                                                        • Opcode Fuzzy Hash: b0b1340e0995a54ca1cf128b8a46e67a2d5cb5e17e9389d32643d148b552a035
                                                                        • Instruction Fuzzy Hash: 55112531B142854FCB52EB79D86076A7BF1EB86210F0484BAE04ADF249EA29DC4AC341
                                                                        Function 06DD3ED0 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 43325d3a499289cadbc54a9f897b7739172103bbd49bcf24d6ec687ed9adf61c
                                                                        • Instruction ID: 335525c225083128a612c1937bf92d2eadd6045a85688dd4747377225e27ce52
                                                                        • Opcode Fuzzy Hash: 43325d3a499289cadbc54a9f897b7739172103bbd49bcf24d6ec687ed9adf61c
                                                                        • Instruction Fuzzy Hash: 7701B171B141150BDB55A67CDC54B1BABE6DBC6710F11843AF40ECB790EE75CD068782
                                                                        Function 06DD3950 Relevance: .1, Instructions: 56COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 3619b674f0c621a1e5c5ebcf4cdaa78932b225eed813770aa8106649c5e8b2ac
                                                                        • Instruction ID: 56df72275b22f6a62cdd4e356e296811941cef90d111c9ffcf11855142ed2534
                                                                        • Opcode Fuzzy Hash: 3619b674f0c621a1e5c5ebcf4cdaa78932b225eed813770aa8106649c5e8b2ac
                                                                        • Instruction Fuzzy Hash: FC21C2B5D012199FCB00DF9AD985ADEFBB8FF49310F10812AE918B7300C3756954CBA5
                                                                        Function 06DD3C87 Relevance: .1, Instructions: 55COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 427788c3b0f8940138e07d7cc715b5b3d2a6b1210deb9539a030cb92a957ab37
                                                                        • Instruction ID: 361714d2f8941527e84079dbba207ee230d706a222bc112be5c760148f218643
                                                                        • Opcode Fuzzy Hash: 427788c3b0f8940138e07d7cc715b5b3d2a6b1210deb9539a030cb92a957ab37
                                                                        • Instruction Fuzzy Hash: 2A01D436F100145BDF949A69CC143EF72AAABC8650F064135D50AE7344EE25CC174BD2
                                                                        Function 012AD02B Relevance: .1, Instructions: 53COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4530279777.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_12ad000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                        • Instruction ID: b846566907454f6ae5d1c3721ae38126dbc89e5c0634893e4ae726db049b1560
                                                                        • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                        • Instruction Fuzzy Hash: 9A11EB75544284CFCB12CF58C5C0B15BFB1FB88314F28C6AAD9494BA52C33AD40ACB62
                                                                        Function 06DD3958 Relevance: .1, Instructions: 52COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c64ac7fb5d4c084d3a695da69a6574f275943c499fa41683f1e94170cb4de4d2
                                                                        • Instruction ID: a0fc5b1ba0f8860bd0312cb9e8c6786ec84395fb2839b14d6125dc205d2dc61a
                                                                        • Opcode Fuzzy Hash: c64ac7fb5d4c084d3a695da69a6574f275943c499fa41683f1e94170cb4de4d2
                                                                        • Instruction Fuzzy Hash: C811D3B1D012599FCB00DF9AD884ADEFBB4FF49310F10812AE518A7300C3756944CFA5
                                                                        Function 06DD3EE0 Relevance: .1, Instructions: 51COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 2524d03b52cdcdf62fd5e4fff8c8db1f82dd62640dd6d76028bfeba17a0ab45a
                                                                        • Instruction ID: 2144f4d1aa7b341d9a2ff8d44d9280acd0c734293fc82576863ac54c7b21b444
                                                                        • Opcode Fuzzy Hash: 2524d03b52cdcdf62fd5e4fff8c8db1f82dd62640dd6d76028bfeba17a0ab45a
                                                                        • Instruction Fuzzy Hash: 40016D31B100150BDB64AA7DD854B2BA6EADBCA620F218439F50EC7384EE75DC038792
                                                                        Function 06DDEE58 Relevance: .0, Instructions: 49COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 54391a1ecdf395f3f9479269b8ff0da8de73bbd369d093c0e8c6a3c6fd86a52a
                                                                        • Instruction ID: 77d0f37b6d466af42495f24ca7f41f0fac402879eb2572d33872c476a29bb1aa
                                                                        • Opcode Fuzzy Hash: 54391a1ecdf395f3f9479269b8ff0da8de73bbd369d093c0e8c6a3c6fd86a52a
                                                                        • Instruction Fuzzy Hash: A501AF31B104144BDB65AA7EE894B3F77DADBC9A24F108839E50ECB340EE25DC038792
                                                                        Function 06DD9FA8 Relevance: .0, Instructions: 46COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 690d5bfd71405408076f99947ad6ccdc76ea15e8338a97319ddffa0f401aec8b
                                                                        • Instruction ID: 118496395adfb106c1fb7b02e9ef8e51354f6337e082665a2f08fa3a87ca1ba0
                                                                        • Opcode Fuzzy Hash: 690d5bfd71405408076f99947ad6ccdc76ea15e8338a97319ddffa0f401aec8b
                                                                        • Instruction Fuzzy Hash: A2018135B101144BDB64EA7DE854B2A77D6EBC9624F108438F50ECB358EE2ADC4B8781
                                                                        Function 06DDC890 Relevance: .0, Instructions: 43COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 5e2e6e9b7f5b3f12cb676a610b945c4b525a7b984acba4bf4cb93c01f9c6be37
                                                                        • Instruction ID: 82577ca269f210fe3ef3346aebcd08c14ed3d2184b3638c234facaf29be737ff
                                                                        • Opcode Fuzzy Hash: 5e2e6e9b7f5b3f12cb676a610b945c4b525a7b984acba4bf4cb93c01f9c6be37
                                                                        • Instruction Fuzzy Hash: D601A931F211289BDB54AEA5ED40A9D7779FB84314F10453DE905EB340DB769C05CB84
                                                                        Function 06DD6108 Relevance: .0, Instructions: 31COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 1daf5b483b88143deaf889dc2b288791ab57e8ad6d8fa63c6efcd8daeb60e3fe
                                                                        • Instruction ID: 3c0b92bd4a658dec6b952531dd91d26bfa88294125df1588a20798f8a74a545d
                                                                        • Opcode Fuzzy Hash: 1daf5b483b88143deaf889dc2b288791ab57e8ad6d8fa63c6efcd8daeb60e3fe
                                                                        • Instruction Fuzzy Hash: A6E09274E065885FDB50DB70CF46BAE7BB8DB42248F2085E6D809CB102D536CA8583A1
                                                                        Function 06DD6118 Relevance: .0, Instructions: 22COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: a677e92a9621ce443835487d53bca198cee480dfa36386bfc4b0cf8d9c507595
                                                                        • Instruction ID: e9d48dcf30b0dd7a344a546da9b3a901bf4e124f315346436cb4dad04c4b16c5
                                                                        • Opcode Fuzzy Hash: a677e92a9621ce443835487d53bca198cee480dfa36386bfc4b0cf8d9c507595
                                                                        • Instruction Fuzzy Hash: 93E0C270E10148ABDF50EFB4CD05B5EB7ACDB02208F2084A4D809CB202E172CA0287C0

                                                                        Non-executed Functions

                                                                        Function 06DD7330 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-2843079600
                                                                        • Opcode ID: 2d608a9d6085d7df4bdcf6f1ed2d08c3da8a59c77384bcd45d50fbc27d9e372a
                                                                        • Instruction ID: a388f305cabf54768d5010bda6705f40da4f55dd5f1189dd9555b3251d0ff4d9
                                                                        • Opcode Fuzzy Hash: 2d608a9d6085d7df4bdcf6f1ed2d08c3da8a59c77384bcd45d50fbc27d9e372a
                                                                        • Instruction Fuzzy Hash: 6E124D30E00219CFDB68EF69D994A9DB7B2FF88704F2089A9D449AB354DB349D45CF81
                                                                        Function 06DDE458 Relevance: 4.3, Strings: 3, Instructions: 580COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: 0odp$Dqdp$PH]q
                                                                        • API String ID: 0-4272097961
                                                                        • Opcode ID: e0e1425ecd81bd155ff958b4275f20a381310673fac6808f6e5ee440b3e305c4
                                                                        • Instruction ID: 26c8678d169639f2f0d2b2d174401994de077405c8fa03c080fc60236a970608
                                                                        • Opcode Fuzzy Hash: e0e1425ecd81bd155ff958b4275f20a381310673fac6808f6e5ee440b3e305c4
                                                                        • Instruction Fuzzy Hash: A9229D30B101058FDB94EB68D994A6EB7F6EF89310F108969D40ADF3A1DB35EC46CB91
                                                                        Function 06DD5990 Relevance: 2.9, Strings: 2, Instructions: 410COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: XPbq$\Obq
                                                                        • API String ID: 0-409418754
                                                                        • Opcode ID: 3ec7e2e55a56f7718fa6f11d4bca5e3ab3fda5fe6d7e6feb71d2db2d261b6e14
                                                                        • Instruction ID: 2a007fca5f49e37fb41fb1a9b88f18625272a0a6f00f76d1e88120a1e45f542f
                                                                        • Opcode Fuzzy Hash: 3ec7e2e55a56f7718fa6f11d4bca5e3ab3fda5fe6d7e6feb71d2db2d261b6e14
                                                                        • Instruction Fuzzy Hash: CCD1B431B100158FDF64EB6CE494AAEB7F6FB89720F25846AD40ADB395CA31EC45C790
                                                                        Function 06DD0040 Relevance: 2.0, Instructions: 1989COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 7ace44dba206a0b878f2069d5bd985afeac9f695622ade530a7b7aa647d4fea3
                                                                        • Instruction ID: 0069dbd89a6acccb4bd2b37b73fcd44dd741bdeb3761f2d6560a87342eeffa5c
                                                                        • Opcode Fuzzy Hash: 7ace44dba206a0b878f2069d5bd985afeac9f695622ade530a7b7aa647d4fea3
                                                                        • Instruction Fuzzy Hash: BB23ED31D106198ECB11EF68C8946ADF7B1FF99300F15C79AE458A7221EB70AAD5CF81
                                                                        Function 06DD0007 Relevance: 2.0, Instructions: 1989COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: e90f51234e12d65891855f2c0b44b33a6a249ce036745d112c734a4b525ff204
                                                                        • Instruction ID: 82cacfa3e1ad10f0b72d0df6aeb1c74016239cdd9b1198508d19f4f52169e3a6
                                                                        • Opcode Fuzzy Hash: e90f51234e12d65891855f2c0b44b33a6a249ce036745d112c734a4b525ff204
                                                                        • Instruction Fuzzy Hash: C423EC31D106198ECB11EF68C8946ADF7B1FF99300F15C79AE458A7221EB70AAD5CF81
                                                                        Function 06DC6248 Relevance: .3, Instructions: 315COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: 151602571f36b1a3d479a4c2e54833cdad039da4696874318d3be82776cdce2a
                                                                        • Instruction ID: 00915c7bb638f34cf5224ac0d684652eb6309c746118ea0f4f90236b25692e34
                                                                        • Opcode Fuzzy Hash: 151602571f36b1a3d479a4c2e54833cdad039da4696874318d3be82776cdce2a
                                                                        • Instruction Fuzzy Hash: C71262B08017468AE730CF65E98C2897BB1BB85338F50C719D2656E2E9DBB8158BCF44
                                                                        Function 06DC623B Relevance: .2, Instructions: 225COMMON
                                                                        Download Yara Rule
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533430534.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dc0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID:
                                                                        • API String ID:
                                                                        • Opcode ID: c7048c658053c499eee2044db633db1380ff1fbe977d5e9b9d6749dca4f7e100
                                                                        • Instruction ID: 1c0d51319d512a44cfe8b081155e7d88ed90ef41187065607dd12e4c4b0dce6c
                                                                        • Opcode Fuzzy Hash: c7048c658053c499eee2044db633db1380ff1fbe977d5e9b9d6749dca4f7e100
                                                                        • Instruction Fuzzy Hash: 41C1D5B18017468BE720CF64E98C2897BB1FB85338F518719D1616F2E9DBB8158BCF44
                                                                        Function 06DDA5D0 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-1273862796
                                                                        • Opcode ID: 6f8741890f39a536fc0177bc79ca0c41d54260b72c3771e1d4f52ce0d01107b6
                                                                        • Instruction ID: 72146b99b59b91306058a5c1cc3976081346efc80b20fad82de30b0f56a8715e
                                                                        • Opcode Fuzzy Hash: 6f8741890f39a536fc0177bc79ca0c41d54260b72c3771e1d4f52ce0d01107b6
                                                                        • Instruction Fuzzy Hash: C1915030E00209EFDB68EF69D994B6E77B6EF44700F18C429D841A7294DB39DD46CB90
                                                                        Function 06DD6D30 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-981061697
                                                                        • Opcode ID: 2005527857afb6769a661099c85f2ee6c7717b2af842665061df962197f65880
                                                                        • Instruction ID: e369242062da9011bf64ffc345ffc5ae555608cd91f440abcf2358514fbf6a60
                                                                        • Opcode Fuzzy Hash: 2005527857afb6769a661099c85f2ee6c7717b2af842665061df962197f65880
                                                                        • Instruction Fuzzy Hash: E3F16430B00209CFDB59EFA9D550A6EBBB6FF84744F248568D815AB394CB39DC46CB81
                                                                        Function 06DDBAB0 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                                        • API String ID: 0-3723351465
                                                                        • Opcode ID: c46d379c94cadc24f590f30d655db7cb2103d286e79bc475cba2e5d4269e7c01
                                                                        • Instruction ID: 526b499d002a6beaa288b87e6d796636acbd7322212715b9d09303ebe57d9c18
                                                                        • Opcode Fuzzy Hash: c46d379c94cadc24f590f30d655db7cb2103d286e79bc475cba2e5d4269e7c01
                                                                        • Instruction Fuzzy Hash: E771AC70E002098FDB68EF68D980A6EB7F6FF84708F11846AD406EB255DB75DD46CB81
                                                                        Function 06DD8068 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                        • API String ID: 0-858218434
                                                                        • Opcode ID: 312379be7bf761e883f262293bf5a0e98ef11836f602804f95122ade2b334a45
                                                                        • Instruction ID: 179e8c4f853999ccbf66f33fb850febc5ddbd3d3b8e2c222f9cff83c7d0ffffd
                                                                        • Opcode Fuzzy Hash: 312379be7bf761e883f262293bf5a0e98ef11836f602804f95122ade2b334a45
                                                                        • Instruction Fuzzy Hash: 78B17030A01209CFDB69EFA9D590A6EB7B6FF84704F248429D405EB394DB35DC86CB81
                                                                        Function 06DDA95A Relevance: 5.2, Strings: 4, Instructions: 173COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: $]q$$]q$$]q$$]q
                                                                        • API String ID: 0-858218434
                                                                        • Opcode ID: 7a014e3885bdb69f348274c253af4771b82c97e1824bfa56cb0f2b44b6694bd6
                                                                        • Instruction ID: 3bbf07c875146ffa1f8fe8859832cd97ad6c5a6ce32242ab0faf100774e818d5
                                                                        • Opcode Fuzzy Hash: 7a014e3885bdb69f348274c253af4771b82c97e1824bfa56cb0f2b44b6694bd6
                                                                        • Instruction Fuzzy Hash: E2518530E102098FDF65EF68D9809ADB3B6EB84714F19C56AD815EB350DB35DC42CB91
                                                                        Function 06DD8480 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                                        Download Yara Rule
                                                                        Strings
                                                                        Memory Dump Source
                                                                        • Source File: 00000000.00000002.4533459397.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                                                        Joe Sandbox IDA Plugin
                                                                        • Snapshot File: hcaresult_0_2_6dd0000_uLFOeGZaJS.jbxd
                                                                        Similarity
                                                                        • API ID:
                                                                        • String ID: LR]q$LR]q$$]q$$]q
                                                                        • API String ID: 0-3527005858
                                                                        • Opcode ID: e8ede42f630227cf95e2098588d4ec6c36ae9c2ff463448c7c2cc529710438f3
                                                                        • Instruction ID: 7fa8f5e09d6e6f68e3264a9fdb3f9572a3dba503da54b0fdc87b4dd2becc2382
                                                                        • Opcode Fuzzy Hash: e8ede42f630227cf95e2098588d4ec6c36ae9c2ff463448c7c2cc529710438f3
                                                                        • Instruction Fuzzy Hash: BA51BF30B002019FDB59EF68D990A6EB7F6FF88714F148569E5069B394DA38EC01CB91