Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
G6hxXf90i5.exe

Overview

General Information

Sample name:G6hxXf90i5.exe
Analysis ID:1585775
MD5:35c10546b56f0af9bd3d8c7ea9665965
SHA1:d85138c30500a3f01e4410daa8c1a46d6eb77b9a
SHA256:d1a16a50def193b10f6d814cfa9fe859db8dc0f2451175647470c8f31e204b25
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Set autostart key via New-ItemProperty Cmdlet
Suricata IDS alerts for network traffic
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Suspicious powershell command line found
Tries to harvest and steal Bitcoin Wallet information
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • G6hxXf90i5.exe (PID: 1296 cmdline: "C:\Users\user\Desktop\G6hxXf90i5.exe" MD5: 35C10546B56F0AF9BD3D8C7EA9665965)
    • powershell.exe (PID: 8116 cmdline: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • G6hxXf90i5.exe (PID: 8708 cmdline: "C:\Users\user\AppData\Roaming\G6hxXf90i5.exe" MD5: 35C10546B56F0AF9BD3D8C7EA9665965)
  • G6hxXf90i5.exe (PID: 8776 cmdline: "C:\Users\user\AppData\Roaming\G6hxXf90i5.exe" MD5: 35C10546B56F0AF9BD3D8C7EA9665965)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: G6hxXf90i5.exe PID: 1296JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: G6hxXf90i5.exe PID: 8708JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8116, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\G6hxXf90i5
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\G6hxXf90i5.exe", ParentImage: C:\Users\user\Desktop\G6hxXf90i5.exe, ParentProcessId: 1296, ParentProcessName: G6hxXf90i5.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', ProcessId: 8116, ProcessName: powershell.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Set autostart key via New-ItemProperty Cmdlet
          Source: Process startedAuthor: Joe Security: Data: Command: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', CommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', CommandLine|base64offset|contains: E^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\G6hxXf90i5.exe", ParentImage: C:\Users\user\Desktop\G6hxXf90i5.exe, ParentProcessId: 1296, ParentProcessName: G6hxXf90i5.exe, ProcessCommandLine: "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String', ProcessId: 8116, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-08T08:59:17.873519+010020355951Domain Observed Used for C2 Detected185.157.162.10356001192.168.11.2049762TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: G6hxXf90i5.exeAvira: detected
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeAvira: detection malicious, Label: HEUR/AGEN.1323341
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeReversingLabs: Detection: 55%
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeVirustotal: Detection: 58%Perma Link
          Multi AV Scanner detection for submitted file
          Source: G6hxXf90i5.exeVirustotal: Detection: 58%Perma Link
          Source: G6hxXf90i5.exeReversingLabs: Detection: 55%
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: G6hxXf90i5.exeJoe Sandbox ML: detected
          Source: G6hxXf90i5.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: G6hxXf90i5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 185.157.162.103:56001 -> 192.168.11.20:49762
          Source: global trafficTCP traffic: 192.168.11.20:49762 -> 185.157.162.103:56001
          Source: Joe Sandbox ViewASN Name: OBE-EUROPEObenetworkEuropeSE OBE-EUROPEObenetworkEuropeSE
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: unknownTCP traffic detected without corresponding DNS query: 185.157.162.103
          Source: G6hxXf90i5.exe, 00000000.00000002.175550927077.0000000005E97000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173112262229.0000000003353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: G6hxXf90i5.exe, 00000000.00000002.175550927077.0000000005E97000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173112262229.0000000003353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: G6hxXf90i5.exe, 00000000.00000002.175543641867.0000000001398000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: G6hxXf90i5.exe, 00000000.00000002.175544406751.00000000013BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: powershell.exe, 00000002.00000002.173117917696.0000000005E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000002.00000002.173119949076.0000000007970000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173119421563.0000000007890000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003751000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173113534000.0000000004DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000002.00000002.173119949076.0000000007970000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173119421563.0000000007890000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
          Source: G6hxXf90i5.exe, 00000000.00000002.175550927077.0000000005E97000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173112262229.0000000003353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
          Source: powershell.exe, 00000002.00000002.173113534000.0000000004DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
          Source: powershell.exe, 00000002.00000002.173117917696.0000000005E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000002.00000002.173117917696.0000000005E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000002.00000002.173117917696.0000000005E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
          Source: powershell.exe, 00000002.00000002.173119949076.0000000007970000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173119421563.0000000007890000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
          Source: powershell.exe, 00000002.00000002.173117917696.0000000005E40000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: G6hxXf90i5.exe, 00000000.00000002.175550927077.0000000005E97000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173112262229.0000000003353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000005.00000002.173455894868.0000000002D28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot

          System Summary

          barindex
          .NET source code contains very large array initializations
          Source: G6hxXf90i5.exe, InstanceFilter.csLarge array initialization: RateState: array initializer size 296976
          Source: G6hxXf90i5.exe.0.dr, InstanceFilter.csLarge array initialization: RateState: array initializer size 296976
          Source: 0.2.G6hxXf90i5.exe.4403c28.0.raw.unpack, InstanceFilter.csLarge array initialization: RateState: array initializer size 296976
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess Stats: CPU usage > 6%
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_015342F80_2_015342F8
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_015315B80_2_015315B8
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_015315A80_2_015315A8
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_01533F650_2_01533F65
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_01533FDA0_2_01533FDA
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_05F8C8600_2_05F8C860
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_05F825500_2_05F82550
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_05F837300_2_05F83730
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_066449800_2_06644980
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_0664BF600_2_0664BF60
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_0664BF500_2_0664BF50
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_0664A0480_2_0664A048
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_0664A03E0_2_0664A03E
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_066448FB0_2_066448FB
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_0664DCA80_2_0664DCA8
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_066434880_2_06643488
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_066485420_2_06648542
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_066485900_2_06648590
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_067965710_2_06796571
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_067966350_2_06796635
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_06793C550_2_06793C55
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_0679657A0_2_0679657A
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_0679603C0_2_0679603C
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_067960330_2_06796033
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_0679611D0_2_0679611D
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_067942A00_2_067942A0
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_067942920_2_06794292
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 4_2_023E42F84_2_023E42F8
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 4_2_023E15B84_2_023E15B8
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 4_2_023E15A84_2_023E15A8
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 4_2_023E1BFE4_2_023E1BFE
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 4_2_023E1C3D4_2_023E1C3D
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 4_2_023E1C264_2_023E1C26
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 4_2_023E1C874_2_023E1C87
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 4_2_023E3D924_2_023E3D92
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 5_2_02AF42F85_2_02AF42F8
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 5_2_02AF15A85_2_02AF15A8
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 5_2_02AF15B85_2_02AF15B8
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 5_2_02AF1BFE5_2_02AF1BFE
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 5_2_02AF1C875_2_02AF1C87
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 5_2_02AF1C265_2_02AF1C26
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 5_2_02AF1C3D5_2_02AF1C3D
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 5_2_02AF3D925_2_02AF3D92
          Source: G6hxXf90i5.exe, 00000000.00000002.175543641867.00000000012DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exe, 00000000.00000000.173088895154.0000000000DAA000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEprnvilubgl.exe" vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003241000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exe, 00000004.00000002.173376055072.0000000003665000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exe, 00000004.00000002.173375468114.000000000268E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exe, 00000004.00000002.173373609304.000000000081E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exe, 00000004.00000002.173377908280.0000000004BF0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exe, 00000005.00000002.173456833112.0000000003E93000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAnoseh.dll" vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exeBinary or memory string: OriginalFilenameEprnvilubgl.exe" vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exe.0.drBinary or memory string: OriginalFilenameEprnvilubgl.exe" vs G6hxXf90i5.exe
          Source: G6hxXf90i5.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: G6hxXf90i5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: G6hxXf90i5.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: G6hxXf90i5.exe, InstanceFilter.csCryptographic APIs: 'CreateDecryptor'
          Source: G6hxXf90i5.exe, PrinterMerchantID.csCryptographic APIs: 'CreateDecryptor'
          Source: G6hxXf90i5.exe, PrinterMerchantID.csCryptographic APIs: 'CreateDecryptor'
          Source: G6hxXf90i5.exe.0.dr, InstanceFilter.csCryptographic APIs: 'CreateDecryptor'
          Source: G6hxXf90i5.exe.0.dr, PrinterMerchantID.csCryptographic APIs: 'CreateDecryptor'
          Source: G6hxXf90i5.exe.0.dr, PrinterMerchantID.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.G6hxXf90i5.exe.4403c28.0.raw.unpack, InstanceFilter.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.G6hxXf90i5.exe.4403c28.0.raw.unpack, PrinterMerchantID.csCryptographic APIs: 'CreateDecryptor'
          Source: 0.2.G6hxXf90i5.exe.4403c28.0.raw.unpack, PrinterMerchantID.csCryptographic APIs: 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@0/1
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeFile created: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeMutant created: \Sessions\1\BaseNamedObjects\fe5d05a685
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:304:WilStaging_02
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0uadr21w.q3v.ps1Jump to behavior
          Source: G6hxXf90i5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: G6hxXf90i5.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: G6hxXf90i5.exeVirustotal: Detection: 58%
          Source: G6hxXf90i5.exeReversingLabs: Detection: 55%
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeFile read: C:\Users\user\Desktop\G6hxXf90i5.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\G6hxXf90i5.exe "C:\Users\user\Desktop\G6hxXf90i5.exe"
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe "C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe "C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'Jump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: G6hxXf90i5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: G6hxXf90i5.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: G6hxXf90i5.exe, PrinterMerchantID.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
          Source: G6hxXf90i5.exe.0.dr, PrinterMerchantID.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
          Source: 0.2.G6hxXf90i5.exe.4403c28.0.raw.unpack, PrinterMerchantID.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
          Suspicious powershell command line found
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'Jump to behavior
          Source: G6hxXf90i5.exeStatic PE information: 0xFFEF854D [Mon Jan 25 18:28:29 2106 UTC]
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_05F8893F pushad ; ret 0_2_05F88965
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_066444C2 push 8705A0F9h; retf 418Bh0_2_066444D1
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_067998D0 push 00C36CA4h; ret 0_2_067998EA
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_067909F8 pushad ; ret 0_2_067909F9
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeCode function: 0_2_067909FA push esp; ret 0_2_06790A01
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 4_2_023E5AD7 pushfd ; retf 4_2_023E5B0A
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeCode function: 4_2_023E4BD0 push edx; retf 4_2_023E4BE2
          Source: G6hxXf90i5.exeStatic PE information: section name: .text entropy: 7.866241849121042
          Source: G6hxXf90i5.exe.0.drStatic PE information: section name: .text entropy: 7.866241849121042
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeFile created: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeJump to dropped file
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run G6hxXf90i5Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run G6hxXf90i5Jump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries memory information (via WMI often done to detect virtual machines)
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
          Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeMemory allocated: 3240000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeMemory allocated: 23A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeMemory allocated: 25A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeMemory allocated: 45A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeMemory allocated: 2A50000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeWindow / User API: threadDelayed 9937Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9921Jump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exe TID: 8520Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exe TID: 8524Thread sleep count: 9937 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6896Thread sleep count: 9921 > 30Jump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe TID: 8736Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe TID: 8800Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: G6hxXf90i5.exe, 00000000.00000002.175550927077.0000000005E60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'Jump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'g6hxxf90i5';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'g6hxxf90i5' -value '"c:\users\user\appdata\roaming\g6hxxf90i5.exe"' -propertytype 'string'
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" remove-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'g6hxxf90i5';new-itemproperty -path 'hkcu:\software\microsoft\windows\currentversion\run' -name 'g6hxxf90i5' -value '"c:\users\user\appdata\roaming\g6hxxf90i5.exe"' -propertytype 'string'Jump to behavior
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.000000000374D000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003685000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003725000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003568000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerA7312615A134A4"
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.00000000035BF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managerh{
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.000000000374D000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003685000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003725000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeQueries volume information: C:\Users\user\Desktop\G6hxXf90i5.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeQueries volume information: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeQueries volume information: C:\Users\user\AppData\Roaming\G6hxXf90i5.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\G6hxXf90i5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: G6hxXf90i5.exe, 00000000.00000002.175550927077.0000000005E97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: G6hxXf90i5.exe, 00000000.00000002.175550927077.0000000005E97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003568000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystore
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus Web3
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
          Source: G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: keystore!
          Tries to harvest and steal Bitcoin Wallet information
          Source: C:\Users\user\Desktop\G6hxXf90i5.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
          Source: Yara matchFile source: 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: G6hxXf90i5.exe PID: 1296, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: G6hxXf90i5.exe PID: 8708, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
          Windows Management Instrumentation          		1
          Registry Run Keys / Startup Folder          		12
          Process Injection          		1
          Masquerading          		OS Credential Dumping531
          Security Software Discovery          		Remote Services11
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          Registry Run Keys / Startup Folder          		1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop Protocol1
          Data from Local System          		1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          PowerShell          		Logon Script (Windows)1
          DLL Side-Loading          		341
          Virtualization/Sandbox Evasion          		Security Account Manager341
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets213
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
          Obfuscated Files or Information          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Software Packing          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Timestomp          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          DLL Side-Loading          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          G6hxXf90i5.exe58%VirustotalBrowse
          G6hxXf90i5.exe55%ReversingLabsByteCode-MSIL.Trojan.Heracles
          G6hxXf90i5.exe100%AviraHEUR/AGEN.1323341
          G6hxXf90i5.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\G6hxXf90i5.exe100%AviraHEUR/AGEN.1323341
          C:\Users\user\AppData\Roaming\G6hxXf90i5.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\G6hxXf90i5.exe55%ReversingLabsByteCode-MSIL.Trojan.Heracles
          C:\Users\user\AppData\Roaming\G6hxXf90i5.exe58%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://pesterbdd.com/images/Pester.png4powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://github.com/Pester/Pester4powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.173117917696.0000000005E40000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://stackoverflow.com/q/14436606/23354G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000005.00000002.173455894868.0000000002D28000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.173119949076.0000000007970000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173119421563.0000000007890000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://aka.ms/pscore6lBpowershell.exe, 00000002.00000002.173113534000.0000000004DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dllG6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.173119949076.0000000007970000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173119421563.0000000007890000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://stackoverflow.com/q/2152978/23354rCannotG6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://stackoverflow.com/q/11564914/23354;G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exeG6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://contoso.com/powershell.exe, 00000002.00000002.173117917696.0000000005E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exeG6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.173117917696.0000000005E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.173117917696.0000000005E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://contoso.com/Iconpowershell.exe, 00000002.00000002.173117917696.0000000005E40000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.quovadis.bm0G6hxXf90i5.exe, 00000000.00000002.175550927077.0000000005E97000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173112262229.0000000003353000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://ocsp.quovadisoffshore.com0G6hxXf90i5.exe, 00000000.00000002.175550927077.0000000005E97000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173112262229.0000000003353000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameG6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003751000.00000004.00000800.00020000.00000000.sdmp, G6hxXf90i5.exe, 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173113534000.0000000004DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.apache.org/licenses/LICENSE-2.0.html4powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.173119949076.0000000007970000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173119421563.0000000007890000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.173113534000.0000000004F29000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    185.157.162.103
                                                    		unknownSweden
                                                    		197595OBE-EUROPEObenetworkEuropeSEtrue

                                                    General Information

                                                    Joe Sandbox version:41.0.0 Charoite
                                                    Analysis ID:1585775
                                                    Start date and time:2025-01-08 08:57:01 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 10m 19s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                    Run name:Suspected VM Detection
                                                    Number of analysed new started processes analysed:6
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Sample name:G6hxXf90i5.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@6/5@0/1
                                                    EGA Information:Failed
                                                    HCA Information:
                                                    • Successful, ratio: 86%
                                                    • Number of executed functions: 198
                                                    • Number of non-executed functions: 24
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                                    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                                                    • Execution Graph export aborted for target G6hxXf90i5.exe, PID 1296 because it is empty
                                                    • Execution Graph export aborted for target G6hxXf90i5.exe, PID 8708 because it is empty
                                                    • Execution Graph export aborted for target G6hxXf90i5.exe, PID 8776 because it is empty
                                                    • Execution Graph export aborted for target powershell.exe, PID 8116 because it is empty
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtOpenFile calls found.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    02:59:10API Interceptor3x Sleep call for process: powershell.exe modified
                                                    02:59:16API Interceptor16523038x Sleep call for process: G6hxXf90i5.exe modified
                                                    08:59:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run G6hxXf90i5 C:\Users\user\AppData\Roaming\G6hxXf90i5.exe
                                                    08:59:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run G6hxXf90i5 C:\Users\user\AppData\Roaming\G6hxXf90i5.exe

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    OBE-EUROPEObenetworkEuropeSEfile.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, XWorm, XmrigBrowse
                                                    • 185.157.162.216
                                                    RFQ-12202431_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                                    • 193.187.91.218
                                                    RFQ-12202431_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                                    • 193.187.91.218
                                                    ZppxPm0ASs.exeGet hashmaliciousXmrigBrowse
                                                    • 185.157.162.216
                                                    file.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                    • 185.157.162.216
                                                    file.exeGet hashmaliciousAmadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                                    • 185.157.162.216
                                                    file.exeGet hashmaliciousXmrigBrowse
                                                    • 185.157.162.216
                                                    file.exeGet hashmaliciousAmadey, Credential Flusher, DarkVision Rat, LummaC Stealer, StealcBrowse
                                                    • 185.157.162.216
                                                    file.exeGet hashmaliciousDarkVision Rat, XmrigBrowse
                                                    • 185.157.162.216

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\G6hxXf90i5.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\G6hxXf90i5.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1400
                                                    Entropy (8bit):5.34444530197804
                                                    Encrypted:false
                                                    SSDEEP:24:ML9E4K1BIKDE4KhKMaKhRAE4KzDAfE4KnKIE4oKnKo9E4KhROtHZsXE4kI3nRe:MxHK1BIYHKh6oRAHKzMfHKntHoAlHKh6
                                                    MD5:E1C0D648A2CE790CE2D28859A91D6073
                                                    SHA1:2A59CB9D730F3A9FC84C60016BCEE9EC3F601A32
                                                    SHA-256:A749AE27848A9302C78BCEF9CA30EDF8BAAC3A0241945DBC04854C6D7072608E
                                                    SHA-512:4599696290939FB97ADCA8DF7EB71A618F108EA1535C55B876BB4A70BA8359E0C452796FAB3907E268C0A9A9CF9356AABC0B2D6317E9836352C9EDE67F33EC80
                                                    Malicious:true
                                                    Reputation:moderate, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\827465c25133ff582ff7ddaf85635407\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\374ae62ebbde44ef97c7e898f1fdb21b\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\10879c5bddb2dd2399e2098d5ca5c9d1\System.Xml.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\b863adc9d550931e279ac7e2ee517d1f\System.Configuration.ni.dll",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=n

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):64
                                                    Entropy (8bit):0.34726597513537405
                                                    Encrypted:false
                                                    SSDEEP:3:Nlll:Nll
                                                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview:@...e...........................................................

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0gqzwmqh.g2k.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0uadr21w.q3v.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Roaming\G6hxXf90i5.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\G6hxXf90i5.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:modified
                                                    Size (bytes):357376
                                                    Entropy (8bit):7.85035122447071
                                                    Encrypted:false
                                                    SSDEEP:6144:9KtVzSYv+251My5wDx3aB9PZn3WQFZgrGiVhC9k1ZEiE84WrQVxpdV2ldP47Swl3:0Su+i1Al3E9PZRWBs9kDEiE84FHpv2l6
                                                    MD5:35C10546B56F0AF9BD3D8C7EA9665965
                                                    SHA1:D85138C30500A3F01E4410DAA8C1A46D6EB77B9A
                                                    SHA-256:D1A16A50DEF193B10F6D814CFA9FE859DB8DC0F2451175647470C8F31E204B25
                                                    SHA-512:1E911F400A4A38A1C10F5AF68F0C0282C6BA0C333857E1F28DCAFB5700AE2074888EFC6ABE7DA9676813DA9896B6E095F243DD89B501388358738EA029C5FABE
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Avira, Detection: 100%
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 55%
                                                    • Antivirus: Virustotal, Detection: 58%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.................0..j............... ........@.. ....................................@.....................................K.......p............................................................................ ............... ..H............text....i... ...j.................. ..`.rsrc...p............l..............@..@.reloc...............r..............@..B........................H............W...........................................................*...(....*..(....*..0..........8......*(......8....... ....o....8T..... 0./ .:.[a~....{....a(....(....o....8........o......o....o......8....s......8,..... Nk.m v.%Ca~....{i...a(4...(....o....8..... .........%.....(....s......8..........s......8.........(....8....s......8.......o....s......8.............8..........o....&8.......(......8.......s......8.........o....8......o......8..........9....8......o.

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.85035122447071
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:G6hxXf90i5.exe
                                                    File size:357'376 bytes
                                                    MD5:35c10546b56f0af9bd3d8c7ea9665965
                                                    SHA1:d85138c30500a3f01e4410daa8c1a46d6eb77b9a
                                                    SHA256:d1a16a50def193b10f6d814cfa9fe859db8dc0f2451175647470c8f31e204b25
                                                    SHA512:1e911f400a4a38a1c10f5af68f0c0282c6ba0c333857e1f28dcafb5700ae2074888efc6abe7da9676813da9896b6e095f243dd89b501388358738ea029c5fabe
                                                    SSDEEP:6144:9KtVzSYv+251My5wDx3aB9PZn3WQFZgrGiVhC9k1ZEiE84WrQVxpdV2ldP47Swl3:0Su+i1Al3E9PZRWBs9kDEiE84FHpv2l6
                                                    TLSH:B174128175C793A4C96B15B8C8F7096106F9A32B2E33C98A3B6407E64E037C6DF64F59
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.................0..j............... ........@.. ....................................@................................

                                                    File Icon

                                                    Icon Hash:90cececece8e8eb0

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4588fe
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0xFFEF854D [Mon Jan 25 18:28:29 2106 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x588b00x4b.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x570.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x5c0000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x569040x56a00c8af74ce57932c79a272750fe3495cccFalse0.9193412923881674data7.866241849121042IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x5a0000x5700x6003a4ea315901a8a36784d4f4f5013e73aFalse0.4055989583333333data3.957653575609958IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x5c0000xc0x200caef98ee0feca75c106030c426dc82eeFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_VERSION0x5a0a00x2e4data0.4283783783783784
                                                    RT_MANIFEST0x5a3840x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Suricata IDS Alerts

                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                    2025-01-08T08:59:17.873519+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1185.157.162.10356001192.168.11.2049762TCP

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 8, 2025 08:59:16.682050943 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:16.955153942 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:16.955368996 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:16.956429958 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:17.280139923 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:17.280426979 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:17.593326092 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:17.593349934 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:17.593602896 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:17.597789049 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:17.873518944 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:17.923716068 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:19.262816906 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:19.632142067 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:19.632343054 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:19.962094069 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:39.903983116 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:40.227689028 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:40.228002071 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:40.501348972 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:40.543795109 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:40.816478014 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:40.821059942 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:41.138906956 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:41.139045000 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:41.233227968 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:41.277940035 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 08:59:41.412005901 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 08:59:41.465434074 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:01.914320946 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:02.367057085 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:02.549031973 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:02.549202919 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:02.639638901 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:02.639815092 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:02.695121050 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:02.821558952 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:02.967926979 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:02.969300985 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:03.290247917 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:03.290492058 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:03.606267929 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:23.920126915 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:24.233747959 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:24.233876944 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:24.507553101 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:24.549787045 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:24.822592974 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:24.824949980 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:25.148179054 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:25.148348093 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:25.464577913 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:45.932621002 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:46.259829044 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:46.260003090 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:46.533412933 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:46.576297998 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:46.848900080 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:46.851021051 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:47.173109055 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:00:47.173350096 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:00:47.488578081 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:07.944829941 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:08.266705036 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:08.266918898 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:08.540158033 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:08.587142944 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:09.251007080 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:09.251267910 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:09.251491070 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:09.251615047 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:09.252548933 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:09.570636034 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:09.570866108 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:09.898380041 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:29.957186937 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:30.272742987 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:30.272979021 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:30.546377897 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:30.597965002 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:30.870628119 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:30.872828007 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:31.187511921 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:31.187716961 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:31.513232946 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:51.969487906 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:52.297192097 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:52.297375917 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:52.570853949 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:52.624505043 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:52.896945000 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:52.899063110 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:53.223053932 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:53.223232985 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:53.624304056 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:01:53.638748884 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:01:53.897048950 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:13.981801033 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:14.301831007 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:14.301950932 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:14.575031042 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:14.619749069 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:14.892529964 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:14.894112110 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:15.212780952 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:15.213023901 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:15.603941917 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:15.638436079 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:15.876769066 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:35.994168043 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:36.318936110 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:36.319127083 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:36.708750963 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:36.970026970 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:36.981122971 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:37.021147966 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:37.293778896 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:37.296089888 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:37.677284956 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:37.977329969 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:37.977509022 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:37.977577925 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:38.250626087 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:58.006578922 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:58.328943968 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:58.329133987 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:58.632451057 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:58.688344002 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:58.960943937 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:58.963300943 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:59.290468931 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:59.290651083 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:59.672519922 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:02:59.727211952 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:02:59.945199013 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:03:16.550715923 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:03:16.874274969 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:03:16.874399900 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:03:17.147589922 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:03:17.199974060 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:03:17.472459078 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:03:17.473217964 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:03:17.800338984 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:03:17.800462008 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:03:18.149841070 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:03:38.555067062 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:03:38.883171082 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:03:38.883388996 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:03:39.156733036 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:03:39.210864067 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:03:39.483195066 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:03:39.483839989 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:03:39.797043085 CET5600149762185.157.162.103192.168.11.20
                                                    Jan 8, 2025 09:03:39.797241926 CET4976256001192.168.11.20185.157.162.103
                                                    Jan 8, 2025 09:03:40.122036934 CET5600149762185.157.162.103192.168.11.20

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:02:59:08
                                                    Start date:08/01/2025
                                                    Path:C:\Users\user\Desktop\G6hxXf90i5.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\G6hxXf90i5.exe"
                                                    Imagebase:0xd50000
                                                    File size:357'376 bytes
                                                    MD5 hash:35C10546B56F0AF9BD3D8C7EA9665965
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.175545402932.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:false

                                                    General

                                                    Target ID:2
                                                    Start time:02:59:10
                                                    Start date:08/01/2025
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'G6hxXf90i5' -Value '"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"' -PropertyType 'String'
                                                    Imagebase:0xca0000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:02:59:10
                                                    Start date:08/01/2025
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7c7550000
                                                    File size:875'008 bytes
                                                    MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:02:59:21
                                                    Start date:08/01/2025
                                                    Path:C:\Users\user\AppData\Roaming\G6hxXf90i5.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"
                                                    Imagebase:0xc0000
                                                    File size:357'376 bytes
                                                    MD5 hash:35C10546B56F0AF9BD3D8C7EA9665965
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.173375468114.00000000025E1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Avira
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 55%, ReversingLabs
                                                    • Detection: 58%, Virustotal, Browse
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:02:59:29
                                                    Start date:08/01/2025
                                                    Path:C:\Users\user\AppData\Roaming\G6hxXf90i5.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\AppData\Roaming\G6hxXf90i5.exe"
                                                    Imagebase:0x700000
                                                    File size:357'376 bytes
                                                    MD5 hash:35C10546B56F0AF9BD3D8C7EA9665965
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:low
                                                    Has exited:true

                                                    Disassembly

                                                    Reset < >

                                                      Executed Functions

                                                      Function 06796571 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EIt
                                                      • API String ID: 0-735907636
                                                      • Opcode ID: 9d679a614e7a56668b64628f2dadfcca17004371927e30e2729882c4f034d965
                                                      • Instruction ID: 6225e5a84e4adf55a13bb69fbbd2d286e95fdf6bd72dcc5d22d0235022c5c98a
                                                      • Opcode Fuzzy Hash: 9d679a614e7a56668b64628f2dadfcca17004371927e30e2729882c4f034d965
                                                      • Instruction Fuzzy Hash: FCD11D34B111158FDB54EF28E898AAE77F2FB98300F1185ADD80A9B395DB349D42CF91
                                                      Function 0679657A Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EIt
                                                      • API String ID: 0-735907636
                                                      • Opcode ID: ddbd35ec1081689f8981d699a7b233e389dd57344a998aa5ef2111533d56ebd5
                                                      • Instruction ID: 1bd38d6bc4bbc77e8b62a445cf74fa1f78daad94bbcba8a5a3fce84e0a3ddb45
                                                      • Opcode Fuzzy Hash: ddbd35ec1081689f8981d699a7b233e389dd57344a998aa5ef2111533d56ebd5
                                                      • Instruction Fuzzy Hash: E5C10D34B111158FDB54EF28E898AAE77E2FB98300F1185ADD80ADB395DB349D42CF91
                                                      Function 06794292 Relevance: 1.5, Instructions: 1495COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1bb2a801fc5ce58378f8f0920943e292f5c69c922d0623be0c5817032454c334
                                                      • Instruction ID: b5bf9e00ca02a68b6589d8b82749c314eb93ea13d8af6ea80e3530bfb0f77dfb
                                                      • Opcode Fuzzy Hash: 1bb2a801fc5ce58378f8f0920943e292f5c69c922d0623be0c5817032454c334
                                                      • Instruction Fuzzy Hash: 31E2FA747111048FC744EB28E999FAE77E2EB9C300F5185ADD80A9B396CB74AD46DF80
                                                      Function 067942A0 Relevance: 1.5, Instructions: 1493COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8c7161e73033c212380dc26b755166baae242c80dc4c2d26666b670d5ae2970a
                                                      • Instruction ID: 0e1e6d167e36da62a8c1be2b4ae72beb8b03ca868f317f875013927817240432
                                                      • Opcode Fuzzy Hash: 8c7161e73033c212380dc26b755166baae242c80dc4c2d26666b670d5ae2970a
                                                      • Instruction Fuzzy Hash: B7E2FB747111048FC744EB28E999FAE77E2EB9C300F5185ADD80A9B396CB74AD46DF80
                                                      Function 06796635 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EIt
                                                      • API String ID: 0-735907636
                                                      • Opcode ID: 753dd634654648d33fc30f04b506d8d963514545234e9ba315a9a03b401f169b
                                                      • Instruction ID: 03be8815aefe86e499b988ad7a1d3e17e917114b0e42c3ac95c4087b54943cc9
                                                      • Opcode Fuzzy Hash: 753dd634654648d33fc30f04b506d8d963514545234e9ba315a9a03b401f169b
                                                      • Instruction Fuzzy Hash: 7EA11F34B111158FDB54EF68E898AAE77F2EB88300F1185ADD80ADB395DB349D42CF91
                                                      Function 05F8C860 Relevance: .5, Instructions: 503COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 19c93fd79ffd472bbae0b9f7727f2a8fb1f4de3d9ce16ddcf7ac2a57316d190b
                                                      • Instruction ID: 6da591197e1d99dd5fe2763247eaebcb7f0a1cc8c8ba05c12d92278647316e6f
                                                      • Opcode Fuzzy Hash: 19c93fd79ffd472bbae0b9f7727f2a8fb1f4de3d9ce16ddcf7ac2a57316d190b
                                                      • Instruction Fuzzy Hash: A9124E34B112049FDB04FFA8E8989BEB7B2FB99300B51852DD806AB355DF389C46CB51
                                                      Function 066448FB Relevance: .4, Instructions: 364COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1352e45c776f21829927132492705549b6b6e94c39bcdacfe277cb049e4a140
                                                      • Instruction ID: 95d78f59671ea7fdbff3eaa61168445d9a27ed3c77187984800df7d8b1c48577
                                                      • Opcode Fuzzy Hash: f1352e45c776f21829927132492705549b6b6e94c39bcdacfe277cb049e4a140
                                                      • Instruction Fuzzy Hash: 44E18A34B016149FDB05FF68E89897E7BB3EB99300B01856DE8069B3A4DF385D46DB81
                                                      Function 06644980 Relevance: .3, Instructions: 346COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c5aaabd3addfa769b6ec2a52eb71e3ec6065737752197c662236b8989a1067a
                                                      • Instruction ID: 039f6c5abe4b7dd4be401a800e78b4433ac8689e486dfc62df77a9f57d8768d0
                                                      • Opcode Fuzzy Hash: 1c5aaabd3addfa769b6ec2a52eb71e3ec6065737752197c662236b8989a1067a
                                                      • Instruction Fuzzy Hash: C7D15A34B016149FDB05FF68E89897E7BB3EB99300B11852DE8069B3A4DF385D46DB81
                                                      Function 06796874 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EIt
                                                      • API String ID: 0-735907636
                                                      • Opcode ID: 49b9d5f35da3a87cc7164597cf2553bb034e78caa612aa374d8f16cb537ec7a1
                                                      • Instruction ID: d42a65fdd03e8649cbf5df1e53bd14e6316605cfd5ea03dd8fa5f61602e4d5d4
                                                      • Opcode Fuzzy Hash: 49b9d5f35da3a87cc7164597cf2553bb034e78caa612aa374d8f16cb537ec7a1
                                                      • Instruction Fuzzy Hash: 26513174B111148FDB54EF68E898AAEB7F2FB88310F1085AAD409DB395DB349D41CF91
                                                      Function 06796881 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: EIt
                                                      • API String ID: 0-735907636
                                                      • Opcode ID: 2f514897bab9ad7ee67a133a920746e56749424fef5e9a80750a4ff6d01e48b8
                                                      • Instruction ID: d7a6fc889bbf4f3c82a1c8e96cdb291ee2bbfd24a2d621fd143b73d2b6b21696
                                                      • Opcode Fuzzy Hash: 2f514897bab9ad7ee67a133a920746e56749424fef5e9a80750a4ff6d01e48b8
                                                      • Instruction Fuzzy Hash: E0513074B111148FDB54EF68E898AAEB7F2FB88310F1085AAD409DB395DB349D42CF90
                                                      Function 0679CE90 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: {%
                                                      • API String ID: 0-1677648102
                                                      • Opcode ID: 9e513d4f57bb2afa67e570bbee993b4d7ce23f87c351eb1920f16ce61968fedf
                                                      • Instruction ID: 1bcd2a9a66a67d3acd8ac3aaf888124ae5c0578a27a6e3e584d6a1c6cb96b449
                                                      • Opcode Fuzzy Hash: 9e513d4f57bb2afa67e570bbee993b4d7ce23f87c351eb1920f16ce61968fedf
                                                      • Instruction Fuzzy Hash: B8212631B023004FDF81DF78A4552AE7FB2EB81600B10856ED445DB392DA345C0A8BE2
                                                      Function 06796AC0 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ;s
                                                      • API String ID: 0-294607650
                                                      • Opcode ID: 7b64a1e27ba3a85cc082f3732ff3d213fc01020f0346279125dfe31f7430ab1f
                                                      • Instruction ID: 2d168c3768ff9164c3d81bfeb3e96009a20bbeb00e658bd40e7e7c8759d20f4a
                                                      • Opcode Fuzzy Hash: 7b64a1e27ba3a85cc082f3732ff3d213fc01020f0346279125dfe31f7430ab1f
                                                      • Instruction Fuzzy Hash: 0E210871B05310AFFB465B16942476E3BE6FB89251F14805AE909DB395CE359C02C7A1
                                                      Function 0679923A Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ;s
                                                      • API String ID: 0-294607650
                                                      • Opcode ID: b1229100477c0d8058516a6f9ed94b8763590e27837896ff38f9f56f40a10de2
                                                      • Instruction ID: e946837adcabdec884c4d41754b68cbcbfd31c0b966f273c57d58b3822d335b4
                                                      • Opcode Fuzzy Hash: b1229100477c0d8058516a6f9ed94b8763590e27837896ff38f9f56f40a10de2
                                                      • Instruction Fuzzy Hash: A62101706012059FCB00EF69E491EAEB7F2FF98204B50C42DD4159B3A4EB35AD0ACF90
                                                      Function 06799248 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ;s
                                                      • API String ID: 0-294607650
                                                      • Opcode ID: 1af3551b04e9129087f8cb9cdf3084b6d9428ae38d7884238038e47835d0ff56
                                                      • Instruction ID: 53368d049048256ed05ed088f23bdfd7097c68d0af5e36468c359e773bd04eaf
                                                      • Opcode Fuzzy Hash: 1af3551b04e9129087f8cb9cdf3084b6d9428ae38d7884238038e47835d0ff56
                                                      • Instruction Fuzzy Hash: EC21F4707102059FCB40EF69E490DAEB7F2FF88204B50C42DD4199B3A0DB31AD0ACB91
                                                      Function 0679CEC0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: {%
                                                      • API String ID: 0-1677648102
                                                      • Opcode ID: 0982d11557a250e83580060fb38a49cca082a1e85036e0bfd6b862aed1d06ee7
                                                      • Instruction ID: cd5beab7ccc55da8c1be78219ca0832e7e8a21cc80a28e82bd4ecb9ac8313c4e
                                                      • Opcode Fuzzy Hash: 0982d11557a250e83580060fb38a49cca082a1e85036e0bfd6b862aed1d06ee7
                                                      • Instruction Fuzzy Hash: 1E11BF71B022148BDF95EF69A4156AEBBB2FBC4710F00852DD406EB384DF745D058BE2
                                                      Function 06796AB0 Relevance: 1.3, Strings: 1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: ;s
                                                      • API String ID: 0-294607650
                                                      • Opcode ID: 2757c70f71af7f7ad17a5776fc900e03d24ae9b896aecb40c4440f8c1c5fa225
                                                      • Instruction ID: ac5f12880f1c5428cd5329cc90212cb5cdee88a545e30a28fe370b1227761625
                                                      • Opcode Fuzzy Hash: 2757c70f71af7f7ad17a5776fc900e03d24ae9b896aecb40c4440f8c1c5fa225
                                                      • Instruction Fuzzy Hash: 4A018F35A01208AFEF959F58E454BEA7BF5FB88360F158226F9088B251C635A941CB60
                                                      Function 0679CF07 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: {%
                                                      • API String ID: 0-1677648102
                                                      • Opcode ID: a7e6e68f1b2bafb9a4250f56d4c7e2fa0b6216b1d51a3d1153acdc800f56d351
                                                      • Instruction ID: a08a9f8b8a4a28c389bc558e6ab54a9f17d5cd64210a851620e1bbdda8a6cdd9
                                                      • Opcode Fuzzy Hash: a7e6e68f1b2bafb9a4250f56d4c7e2fa0b6216b1d51a3d1153acdc800f56d351
                                                      • Instruction Fuzzy Hash: 62F022317417108BEF40AF69A46436D77A2FBD0611F00851ED502AF380CFB16C094BD3
                                                      Function 067976A0 Relevance: .5, Instructions: 486COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6bba9794c488045cc304cf6656c9333863dd6948ddf015486acf39f637733038
                                                      • Instruction ID: 73d4bf0eb8cad0b81161bec25065d53f930d4c3336223e34e1c70702fa584236
                                                      • Opcode Fuzzy Hash: 6bba9794c488045cc304cf6656c9333863dd6948ddf015486acf39f637733038
                                                      • Instruction Fuzzy Hash: E7125A30A107058FDB69DF79C450A9EB7F2BF85310F248A29D4069B3A1DB75E882CB91
                                                      Function 06641548 Relevance: .4, Instructions: 442COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 91af943c1c7095a4bc799a57acfff1c386b5719c9cd26ca14de5ec53b8366575
                                                      • Instruction ID: d8b880973bb3d4d1db55d4470aad77054bce6bfc5708b9a1d2ffdda9b9316ed6
                                                      • Opcode Fuzzy Hash: 91af943c1c7095a4bc799a57acfff1c386b5719c9cd26ca14de5ec53b8366575
                                                      • Instruction Fuzzy Hash: 6F026434B01204DFDB04FFA8E9989ADB7B2FF99300B11856DD405AB355DB38AD46CB41
                                                      Function 06798D20 Relevance: .4, Instructions: 365COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4d2a1a0a5ffda292e4e87557b267c3b414661b8afb25a44f22676faacbcc4065
                                                      • Instruction ID: 0f284a49667feb34242fcef0261288031646677380f0b09d02c011fa41e9e947
                                                      • Opcode Fuzzy Hash: 4d2a1a0a5ffda292e4e87557b267c3b414661b8afb25a44f22676faacbcc4065
                                                      • Instruction Fuzzy Hash: D4F14C74A04209CFDB54CF68D584A99BBF2FF49314F29C699D418AB362D730E985CF90
                                                      Function 05F8C850 Relevance: .4, Instructions: 359COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a10ec3b4f1f4f164e0f774327f860085eb285771e6734d0c3a49de9ecb0867b1
                                                      • Instruction ID: b60aba8d64dd4fec9b20a10b55ef33882f663d6f5efa3cdf971142923a7f1787
                                                      • Opcode Fuzzy Hash: a10ec3b4f1f4f164e0f774327f860085eb285771e6734d0c3a49de9ecb0867b1
                                                      • Instruction Fuzzy Hash: 57E14C34B112049FDB04FFA8E8989BEB7B6FB99300B11856DE806AB355DF389C45CB51
                                                      Function 01531830 Relevance: .3, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 29ce13674ac5e94a16741a94a375f13a5ba4a99ac435fd4106dda4eb796870ec
                                                      • Instruction ID: caa02e6bc4944f1dcc61bdb326d300870d3c63d2ef660446d671768febd4ff3f
                                                      • Opcode Fuzzy Hash: 29ce13674ac5e94a16741a94a375f13a5ba4a99ac435fd4106dda4eb796870ec
                                                      • Instruction Fuzzy Hash: ABA17A75B006059FC718DF69D598AA9BBF2FF88310F258569E805AB3A1DB35EC01CB90
                                                      Function 06644510 Relevance: .2, Instructions: 240COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8741eac5870d2d92a36dcbd714eb8e2a50e8633f7ad061f74c0553240721d1a
                                                      • Instruction ID: 9a53edd36547e0c2ed7465b20e3a784a61f40908c1a29f18afdb0994e38e7f3c
                                                      • Opcode Fuzzy Hash: d8741eac5870d2d92a36dcbd714eb8e2a50e8633f7ad061f74c0553240721d1a
                                                      • Instruction Fuzzy Hash: 06918D30B016159FDF45BF68E859ABD7BB2EF98200F10812DD402A7394EF789C56CB86
                                                      Function 06798512 Relevance: .2, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2838184d42a2906b168815ef96db2c36379fea0809b40409e6b272104aca6afb
                                                      • Instruction ID: 231816922d141225a17b5f54cef065abe94a6b7e955b7d8ef22366edc94d3291
                                                      • Opcode Fuzzy Hash: 2838184d42a2906b168815ef96db2c36379fea0809b40409e6b272104aca6afb
                                                      • Instruction Fuzzy Hash: 8B910734A00208CFDB64CFA9D594AADBBF2BF89304F248569D406AB361DB31ED42CF51
                                                      Function 066444D4 Relevance: .2, Instructions: 221COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 44f86efb81ff7095504890e03313a1b8370b2a25f3e03679f9254f54608cd8fc
                                                      • Instruction ID: 7f9d31f5d3ac9d937cdfebd468fb0b83bc621f7a6a6dcebf5db698667fd8c46e
                                                      • Opcode Fuzzy Hash: 44f86efb81ff7095504890e03313a1b8370b2a25f3e03679f9254f54608cd8fc
                                                      • Instruction Fuzzy Hash: C481A030B016459FDB45FF68E899ABD7BB2EF99200F11811DD40197394EF389C56CB82
                                                      Function 066444C2 Relevance: .2, Instructions: 192COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3ac50eec34110766d63144a8dbf853d8834e71f9180196d9750c570cef3f2551
                                                      • Instruction ID: 0c7ba7c4aae38e6701217f674114e80b5f5ef212092d9d756418b942ab28d0ec
                                                      • Opcode Fuzzy Hash: 3ac50eec34110766d63144a8dbf853d8834e71f9180196d9750c570cef3f2551
                                                      • Instruction Fuzzy Hash: E0718B30B016159FDB45BF68E8996BDB7B2EF99300F10821DD401A7394EF389C56CB86
                                                      Function 06796FA8 Relevance: .2, Instructions: 181COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1978b99609f6d331a493f1d636ffa9081461db5dc70757ef57cec4635411e300
                                                      • Instruction ID: a832a5705c7f5db5f666eb58ba5dfdb2244a71d9289999c0cd279b51dbee945c
                                                      • Opcode Fuzzy Hash: 1978b99609f6d331a493f1d636ffa9081461db5dc70757ef57cec4635411e300
                                                      • Instruction Fuzzy Hash: 17514C31B102099FCF45DF98E850AEE7BF6FF8C210B148166F909A7220D731D951DBA1
                                                      Function 01531281 Relevance: .2, Instructions: 155COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 48ce35d885cf1bbd79fb4d919cc0095d549e8692ed9c5f42ffbcf33b537a9e57
                                                      • Instruction ID: 775ec536b4d2406ce9d2435fa3da1569307adaada1d458d448f9eb45b313113c
                                                      • Opcode Fuzzy Hash: 48ce35d885cf1bbd79fb4d919cc0095d549e8692ed9c5f42ffbcf33b537a9e57
                                                      • Instruction Fuzzy Hash: 35510B74B002158FCB44DFA9D898AAEB7F2BFC8710F2544A9E406EF3A5CA719D41CB50
                                                      Function 01531290 Relevance: .2, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 573fcbca37176057622e7dfb6d09e32f319922fb3e024085195c515f5e549b98
                                                      • Instruction ID: 8372d8a9ec6b25532fe30f0a9299fd10c5fee43b11683168a400ed94f98e54f9
                                                      • Opcode Fuzzy Hash: 573fcbca37176057622e7dfb6d09e32f319922fb3e024085195c515f5e549b98
                                                      • Instruction Fuzzy Hash: 2B511A74B002158FCB44DFA9D898AADBBF2BFC8710F2544A9E506EF3A1CE719C418B50
                                                      Function 067906E0 Relevance: .1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 87d7e2503356d378ee393b2a821f9617f4186c11c3fd641fb984f0cdd5e7871b
                                                      • Instruction ID: c11b4f594914429601de3d50dac8fa08b82b79ddfa14ba5adfd5952aba3d4fec
                                                      • Opcode Fuzzy Hash: 87d7e2503356d378ee393b2a821f9617f4186c11c3fd641fb984f0cdd5e7871b
                                                      • Instruction Fuzzy Hash: 4551C1353051404FD705ABA8E8A9B6F77A7EB99300F14846EE446CB3D6CE389C06CBE1
                                                      Function 06792400 Relevance: .1, Instructions: 148COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b7f50d3419ef54c2cca14dd52310a1cb62657bcd33db1cc09eb04e1ec309a2d9
                                                      • Instruction ID: 4cd60c00414b13df93e60de5bf3f502e0c25c15058b0f23efc8b0df3ddc34896
                                                      • Opcode Fuzzy Hash: b7f50d3419ef54c2cca14dd52310a1cb62657bcd33db1cc09eb04e1ec309a2d9
                                                      • Instruction Fuzzy Hash: 7E51F4707212009FCB44FB68F9A9B6E77F6FB88200B158459D801DB396DF389D45CBA1
                                                      Function 067923C8 Relevance: .1, Instructions: 138COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bce04be6ffc51f4f3aedcca067af6b84e330b431112570d113d8d0fed7027953
                                                      • Instruction ID: 3fd48fb2a5721979ce282b1ac9f794da434c7130f517d3f263105f5e7b6d8b1a
                                                      • Opcode Fuzzy Hash: bce04be6ffc51f4f3aedcca067af6b84e330b431112570d113d8d0fed7027953
                                                      • Instruction Fuzzy Hash: EA51A0747212049FCB44FF68F9A9AAE73F6FB88200B118469D801DB395DF389D45CBA1
                                                      Function 06790710 Relevance: .1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ab35e9174510eefba823833a9091e71d338a8e9e5f11d1ceef302533d23dc6ec
                                                      • Instruction ID: 48b0c7bcbb1f598d143b27f6c34b85c5e82544306ef04d8bc4c847640b9e9091
                                                      • Opcode Fuzzy Hash: ab35e9174510eefba823833a9091e71d338a8e9e5f11d1ceef302533d23dc6ec
                                                      • Instruction Fuzzy Hash: 7C4180753011108BE744ABA8E869B6F77A7EBDC300F10852DE9069B7D5CE79AC02DBD1
                                                      Function 06792430 Relevance: .1, Instructions: 127COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ebfc389e2b879f7fa565ad7fba91104ec73e4f3023e452cbdcf04ce144c39a92
                                                      • Instruction ID: cf3e95e3cbcf14c386f6c47935a824db9eb4d48a7b3ead5390452af2a4e4d961
                                                      • Opcode Fuzzy Hash: ebfc389e2b879f7fa565ad7fba91104ec73e4f3023e452cbdcf04ce144c39a92
                                                      • Instruction Fuzzy Hash: 3641BF707212049FCB44FB69F5A9A6E73F6FB88210F108469D801DB395DF389D45CBA1
                                                      Function 067989E8 Relevance: .1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d10394bf2b42040411693b13cc3c90eea9c6a2eede78c9bcf39aec1ab8706aa6
                                                      • Instruction ID: 8b61c25d00f8bdaf52f1d310a6561505b6e9577e491a39c5eef2a5c124d85250
                                                      • Opcode Fuzzy Hash: d10394bf2b42040411693b13cc3c90eea9c6a2eede78c9bcf39aec1ab8706aa6
                                                      • Instruction Fuzzy Hash: 0041DE71B047458FCB11CF6AC850A6ABBF5FF49200B048969E44ACB751DB34ED05CBE1
                                                      Function 0679A170 Relevance: .1, Instructions: 112COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 610104a904fa0539c6ce2465d635f910bf1d1e48bfe8283a3c564aedfa52c53d
                                                      • Instruction ID: 143239e5d6a8d53e2d3ae7aca23eb2c55a4d5c31eaf7b635bffcabd7af5d822f
                                                      • Opcode Fuzzy Hash: 610104a904fa0539c6ce2465d635f910bf1d1e48bfe8283a3c564aedfa52c53d
                                                      • Instruction Fuzzy Hash: 154126307012419FEB45DBA8E899BAD7BF3EB89310F14C15DE401AB3D1CA396C06DBA1
                                                      Function 066420F8 Relevance: .1, Instructions: 104COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cba8fd0e7035941eab7159f237c83eacadb62854d539d576a4558b8ee3f303cf
                                                      • Instruction ID: f5abe3116de604fc1af3d353a809cf693cd37f47beb8d6b08880d23981100fd1
                                                      • Opcode Fuzzy Hash: cba8fd0e7035941eab7159f237c83eacadb62854d539d576a4558b8ee3f303cf
                                                      • Instruction Fuzzy Hash: DB3129327052545FC701EBB9EC609AE7BEAEF89120B1540ABFE49C7391C939CD15D7A0
                                                      Function 0679867F Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f68675c7997935b8d217ae3bd9d7c0030d6372cf0891592cd0f8c594dcb50e60
                                                      • Instruction ID: b1b7b7be886e059792bce6b468b05f07a22c4c4073cbb37d962d4cb4b5e336a2
                                                      • Opcode Fuzzy Hash: f68675c7997935b8d217ae3bd9d7c0030d6372cf0891592cd0f8c594dcb50e60
                                                      • Instruction Fuzzy Hash: D7414A34A00208CFDF54CBA9D494BADB7F2BF89315F24896DD405AB265CB359D81CF62
                                                      Function 05F8D481 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56063f2127f430afacb861ad0b812ae45cf2159276fbe2163cf2ac399cef7ac2
                                                      • Instruction ID: ea073565de4a6675aedfb458e835c01cc980a20f8e58f0abb4343e124c7e6126
                                                      • Opcode Fuzzy Hash: 56063f2127f430afacb861ad0b812ae45cf2159276fbe2163cf2ac399cef7ac2
                                                      • Instruction Fuzzy Hash: F9415235B001089FCB05FFA8E8948AE7BB6FF99300F01855AE95597264DB34A855CB91
                                                      Function 0679819F Relevance: .1, Instructions: 94COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e567d906532ab26095cd836279b24cb6d17c835a7cd8c21f8f7dfe7021256f5a
                                                      • Instruction ID: 633ccf16fe07e8c0df73f75d0b713e5b282a40f6f76af47b91494916de9363a4
                                                      • Opcode Fuzzy Hash: e567d906532ab26095cd836279b24cb6d17c835a7cd8c21f8f7dfe7021256f5a
                                                      • Instruction Fuzzy Hash: 473127747007404FD721DF6AD450B5A7BE2AFD6210B18CA6ED085CF3A1CB31D806CBA2
                                                      Function 06642240 Relevance: .1, Instructions: 93COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 248778eb4b917b66d7da97a31faefab5ac352d1f787baa504a86533410ae6a41
                                                      • Instruction ID: 851566c5fa4217db9eca62add0c92141138de0398e05532a6bbb8def2144461b
                                                      • Opcode Fuzzy Hash: 248778eb4b917b66d7da97a31faefab5ac352d1f787baa504a86533410ae6a41
                                                      • Instruction Fuzzy Hash: C0314F726000596F8F028ED59C50CFFBFBEEB4C211B04406AFA54E2150DA35DA25AB71
                                                      Function 0664EC70 Relevance: .1, Instructions: 89COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ef6179e3540874f39e0f78ce6b65a2a8f910deb91e9c2c8391a8e5116e53c37a
                                                      • Instruction ID: d33f9d57083058ee0e29a2a091db46904a810d8b5c7812213d8085c96796bd17
                                                      • Opcode Fuzzy Hash: ef6179e3540874f39e0f78ce6b65a2a8f910deb91e9c2c8391a8e5116e53c37a
                                                      • Instruction Fuzzy Hash: 7931AD31B016148BDB54EF99E4486AEBBB6FFC8710F14842ED812A7380CB79AD41CBD4
                                                      Function 0664FB10 Relevance: .1, Instructions: 88COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f229b4fb2f2d05f5f11297c242fb2045d674b58c6fbbdff4ae6f5a61c6a48b0b
                                                      • Instruction ID: a1270f2d7d132bb72f19ff6bf8a403f07514174dfe9b00145527a9f26a4bf37b
                                                      • Opcode Fuzzy Hash: f229b4fb2f2d05f5f11297c242fb2045d674b58c6fbbdff4ae6f5a61c6a48b0b
                                                      • Instruction Fuzzy Hash: 73314F78B151158FCB45EFACE4996AF7BB3FB98310B10846DD906D3385DE385C058B91
                                                      Function 06643282 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: efcdd1966c307918285139136216725c276772850fe3c535e5863df50305da4a
                                                      • Instruction ID: 47ae273868d5b69c2959eb321694665dedee0857aef75b62e1521b098c4be7c6
                                                      • Opcode Fuzzy Hash: efcdd1966c307918285139136216725c276772850fe3c535e5863df50305da4a
                                                      • Instruction Fuzzy Hash: 2621F23270A2809FC712DF68E99099A7FF5EF4B21031940EFE085CB252CA385D06DB61
                                                      Function 0664FB20 Relevance: .1, Instructions: 85COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8b4e231262f9ad31345022cb43bb02bb84cc80e3cffbc1d0f853440d3a66b150
                                                      • Instruction ID: b884be7e76bb211ab5d07c72f11916bb7832131821fa4561af37695403b01b8d
                                                      • Opcode Fuzzy Hash: 8b4e231262f9ad31345022cb43bb02bb84cc80e3cffbc1d0f853440d3a66b150
                                                      • Instruction Fuzzy Hash: C6314E34B151058FCB45AFACE4595AFBBB7FBD8310B10802DD906D3385DE385C068B92
                                                      Function 06792B60 Relevance: .1, Instructions: 80COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 372f5c8bd0552f53c82315b363d5d79243fdf1fde64a560187725e8a90a8d98e
                                                      • Instruction ID: ec67f0d1649ab262686700dc2f61b0a6ab4eea74c195861003f16c2b0c0cdd5e
                                                      • Opcode Fuzzy Hash: 372f5c8bd0552f53c82315b363d5d79243fdf1fde64a560187725e8a90a8d98e
                                                      • Instruction Fuzzy Hash: 3F317F30B21214EBDF58EB68F955ABE73F2EB89240F104529D811BB351EB74DD00CBA1
                                                      Function 06792B50 Relevance: .1, Instructions: 79COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f29546aa33a7f100bac89ea46ea8419cd7a23361e0798f92961d0df325f24d3f
                                                      • Instruction ID: ae2b1505bc2fa500b8059f823b956b08ef8f19a3e0ecba841e5e2e57263e8722
                                                      • Opcode Fuzzy Hash: f29546aa33a7f100bac89ea46ea8419cd7a23361e0798f92961d0df325f24d3f
                                                      • Instruction Fuzzy Hash: 6C216974B21214EBDF54EB64E945ABD73F6EB8A240F104629E811BB352DB348D01CBA1
                                                      Function 01531138 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1ee4e28dc8f014d4fb2a4db40212e64356005b20befc0f2b3f5563f71b0f189
                                                      • Instruction ID: 18f5b0ab3ecbb9765b637a832896f6b26c5bb26a33201c4f71497fa14a7afcc7
                                                      • Opcode Fuzzy Hash: b1ee4e28dc8f014d4fb2a4db40212e64356005b20befc0f2b3f5563f71b0f189
                                                      • Instruction Fuzzy Hash: 61215C747006048FDB14DF79E998AAE7BF6FBC8740F104468E402DB3A5DB719D008BA0
                                                      Function 01531127 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d25c479c4ee0f2de7679190b8b1caaeab3918b71508753bb9edad014e72667c8
                                                      • Instruction ID: 0bdb48f62f9e6061e3b186209f292b64fd10344a6d4e8737ebb9de516097d3b5
                                                      • Opcode Fuzzy Hash: d25c479c4ee0f2de7679190b8b1caaeab3918b71508753bb9edad014e72667c8
                                                      • Instruction Fuzzy Hash: 64214C747006008FD758DF79E898A6E7BF6FFC8651B10446DE806DF365DA719D008B91
                                                      Function 0679A453 Relevance: .1, Instructions: 71COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f727129d8fb951c7338e02157e090857ab8e9b596d2229e76db97bf365696d6b
                                                      • Instruction ID: b38493625cc3418482d191eb4431bb6c718005635a6de56d19b5bde846cab9b9
                                                      • Opcode Fuzzy Hash: f727129d8fb951c7338e02157e090857ab8e9b596d2229e76db97bf365696d6b
                                                      • Instruction Fuzzy Hash: 6821EB707062514FDF059B58E8197AE7FB2AB8A700F15405BE401EB3D1CE785D06DBA5
                                                      Function 067989D4 Relevance: .1, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: db3760077e3e5be4548a02916b0c0243b9b8cb1032975faab7b9932a570c6a05
                                                      • Instruction ID: a74f3b83ab2ab451af06e1305e35a517124528d1dbdbb33ceb1393400e96dc58
                                                      • Opcode Fuzzy Hash: db3760077e3e5be4548a02916b0c0243b9b8cb1032975faab7b9932a570c6a05
                                                      • Instruction Fuzzy Hash: B921F174A0474A9FCB01CF7AC880AAABBF0FF09210B04499AE489CB711D734E945CFA1
                                                      Function 06798BB0 Relevance: .1, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 47737995f83d4970916cebb5127d2960467ffc185f2e64b21d0bef620ad49906
                                                      • Instruction ID: b80898639136551e1d51f9d03c28ae6753575b2caf198e1018f18c151658fc71
                                                      • Opcode Fuzzy Hash: 47737995f83d4970916cebb5127d2960467ffc185f2e64b21d0bef620ad49906
                                                      • Instruction Fuzzy Hash: 1B214770601A058FD724DF19E584A52F7E6FF86324F09CAAAD05A8BA61C770F885CB91
                                                      Function 0679D7D1 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68bb1622241af8e77ad00088216f01203a2cc062c1988a9ff34a73dee62efb4b
                                                      • Instruction ID: be9666aa9807d8e5a7c1ddbb73e41f8ee4fbad790d8e643c0933cd94ffd83c4e
                                                      • Opcode Fuzzy Hash: 68bb1622241af8e77ad00088216f01203a2cc062c1988a9ff34a73dee62efb4b
                                                      • Instruction Fuzzy Hash: 1F21AC718047888FCB10CFA9C889BDEBFF4EF49310F24849AD459A7252C335A944CFA1
                                                      Function 0679B52B Relevance: .1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7b934e7aa9584688a6d1126b1975762ef50a209f46cb663a45c53393ba36a52c
                                                      • Instruction ID: dc48a88f034ca39027f8a19ab80573da18151b383d0d4601c33eabd62d0545c0
                                                      • Opcode Fuzzy Hash: 7b934e7aa9584688a6d1126b1975762ef50a209f46cb663a45c53393ba36a52c
                                                      • Instruction Fuzzy Hash: 0E21DF70909744DFCF56CFA8E88059BBFF0EF1A704B0584ABE445CB262C235A946DBA1
                                                      Function 06798C80 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 83c0ebb78bb05020d7a7e54f1a7d11565d9eec78b6358863ce1f933653eccfd5
                                                      • Instruction ID: 38fc2b7a291e9e9b7e2253ea8d3c2a4fb39b47c2681f2e76f6a1431fa8cfc6e5
                                                      • Opcode Fuzzy Hash: 83c0ebb78bb05020d7a7e54f1a7d11565d9eec78b6358863ce1f933653eccfd5
                                                      • Instruction Fuzzy Hash: 7A1198707052009FDB60CF29E884F63BBF5EF8A314B1589A9E44AC7352D731E846CB61
                                                      Function 0664D218 Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cc6ecf810a0414d7c365c2c4a58debfa0c41fb09e2bf7b29f0b72c345575b8f9
                                                      • Instruction ID: c570fd9bac2fb2c4085f41b768ac8d640aef908410af1217d64068ae0e0bb1a9
                                                      • Opcode Fuzzy Hash: cc6ecf810a0414d7c365c2c4a58debfa0c41fb09e2bf7b29f0b72c345575b8f9
                                                      • Instruction Fuzzy Hash: F811AD317093909FC351EB64EC50A97BFA5FF86354F0484AAF5458B292CA269C46C7A1
                                                      Function 06798121 Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e20c521d892a572d3a309dc0fe16f1dd6e1c5ed0e8b5b9e3a971e9606d5a2e94
                                                      • Instruction ID: 84027730adadc65bcb859ff69f76398d4a7345a0ebcc6bc979625a20a930d524
                                                      • Opcode Fuzzy Hash: e20c521d892a572d3a309dc0fe16f1dd6e1c5ed0e8b5b9e3a971e9606d5a2e94
                                                      • Instruction Fuzzy Hash: 6D01B935B043044FDB60CF6DD854A76B7F5EF8A250715486EE559DB361CA31EC01CB51
                                                      Function 05F8E971 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6f708d56395fd4a0e33abab56a00a5641bfa7a4c9c87df1c40dd42841a8a9044
                                                      • Instruction ID: b39aa47096e2d8039967ffa9a8de0f40d706aa63108b730312f3738a4eb2b80d
                                                      • Opcode Fuzzy Hash: 6f708d56395fd4a0e33abab56a00a5641bfa7a4c9c87df1c40dd42841a8a9044
                                                      • Instruction Fuzzy Hash: DC118B3250D3C09FC702CF74D9A1A45FFF1AE5720070944DBD0D4CB153C5228906DB22
                                                      Function 0679CBA0 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aca28adad2064c9bd57bac4e40b5db05bad55d18a4f38e4862441df661d8cc5e
                                                      • Instruction ID: 3387d80e5ecefac968e9bdf5ada1ba6974c9d4d51fb2d83ae790e2a32b022cef
                                                      • Opcode Fuzzy Hash: aca28adad2064c9bd57bac4e40b5db05bad55d18a4f38e4862441df661d8cc5e
                                                      • Instruction Fuzzy Hash: 8801D63020A7D08FDB579B6898505957FF2DF8720070AC5EFC095CB697C5296C07DB92
                                                      Function 0679A480 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 188cdb556b2127ef76365fcf20370c60377d5654a16c9680a89223a3b0106460
                                                      • Instruction ID: 341d0ba844a6896c9e61d6c0dfbad7c88cbe2e78137e705cd2028d101f979bc5
                                                      • Opcode Fuzzy Hash: 188cdb556b2127ef76365fcf20370c60377d5654a16c9680a89223a3b0106460
                                                      • Instruction Fuzzy Hash: 49019670B011259BDF15AB58E819BAE77F6EB89700F20451EE802BB3C0CFB85D018BE5
                                                      Function 06791A30 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f63de919e907c8d2e506a46014153f8f1a6bdc1901ed0e506eb9040a5c90562e
                                                      • Instruction ID: b91b08cbfeae49969f106823b1d95bcc85bf0258ad6c98de74e24666f25095cc
                                                      • Opcode Fuzzy Hash: f63de919e907c8d2e506a46014153f8f1a6bdc1901ed0e506eb9040a5c90562e
                                                      • Instruction Fuzzy Hash: 6511A1767040008FEB40DFACE5867AABBF1EB48700F10856DD91AD73C4CA389D05CB91
                                                      Function 06798130 Relevance: .0, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dcde1dc39a79a4ad1a169e97d2c2d1cee3dad4da3010f7ea0509c30a278f35c5
                                                      • Instruction ID: c79229c08ce6f26f729efd8548e0547d80a91e1133454e2b2e18e7524e81baba
                                                      • Opcode Fuzzy Hash: dcde1dc39a79a4ad1a169e97d2c2d1cee3dad4da3010f7ea0509c30a278f35c5
                                                      • Instruction Fuzzy Hash: B80162357002054FD710CF6ED898A36B7E6EF8A261714486DF549CB761DA31EC018B51
                                                      Function 015308F0 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9baa5227970391ad4b45f217beb78a82cfef50754334909ed38b548c30c0ccb8
                                                      • Instruction ID: 1f5233962a169b3ff3994c9d6d99332f1fecd8cfabd87956c8efc97df3e6861b
                                                      • Opcode Fuzzy Hash: 9baa5227970391ad4b45f217beb78a82cfef50754334909ed38b548c30c0ccb8
                                                      • Instruction Fuzzy Hash: 5AF0D46159E7E04FD74787B48CB96823FB0EE1322970A01DBC4C4CE1B3E2994885C762
                                                      Function 014DD7F1 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544608491.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_14dd000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 060c23d766f7cd211bef549488789cb7dfc87e9a33ae58784e061b515c54ae0e
                                                      • Instruction ID: 9f772e4b7b893bb6ce3422844c744bb5efef571e38666ceec23403b5eb9b7801
                                                      • Opcode Fuzzy Hash: 060c23d766f7cd211bef549488789cb7dfc87e9a33ae58784e061b515c54ae0e
                                                      • Instruction Fuzzy Hash: 5301F7318047449FEB114A96CD85727BF98EF41221F18801BFD6D4A2D3D2799444C6B1
                                                      Function 0679D800 Relevance: .0, Instructions: 44COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 81e200dbd33d725d6db13377fc964b7a61874a40ab685e85e3dab1c9d71c857f
                                                      • Instruction ID: eb0b245ab332d337b0fcb548bbe55f004a6ffb5fd172114f69dd53a031cd337b
                                                      • Opcode Fuzzy Hash: 81e200dbd33d725d6db13377fc964b7a61874a40ab685e85e3dab1c9d71c857f
                                                      • Instruction Fuzzy Hash: EF1103B59007488FDB20DFAAD888B9EBBF4AF48314F20845AD419A7740C375A944CFA5
                                                      Function 06791A40 Relevance: .0, Instructions: 43COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9a01be9f956d43d341c7230889c663d0bfa3a21e1e857a89e4cb5ea0fdaa2950
                                                      • Instruction ID: 90360a562918b352ee4e27219b883562ca0c9f909e7900d1de99560797ca90d8
                                                      • Opcode Fuzzy Hash: 9a01be9f956d43d341c7230889c663d0bfa3a21e1e857a89e4cb5ea0fdaa2950
                                                      • Instruction Fuzzy Hash: 7C019E71B001049BEB40EFACE8457AB7BF5EB48700F008069AA0AEB3C4DA385D00CB91
                                                      Function 06649F20 Relevance: .0, Instructions: 42COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0b3a6db493284a0c0127780ce1ad57298ac4126a7b5fb9ac8ae237c61644f386
                                                      • Instruction ID: 0d5e5d72bcb38a185539537164b9944bd5fd51f36161332aa21916803066dcf7
                                                      • Opcode Fuzzy Hash: 0b3a6db493284a0c0127780ce1ad57298ac4126a7b5fb9ac8ae237c61644f386
                                                      • Instruction Fuzzy Hash: 840162773411109FCB165F88E914CAA7B66EBDC32130A80A5F6098B335CB35DC12DB91
                                                      Function 067995F3 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5d876f44726285e610782affb596e396057544a87555da4cd9e59728cb49185
                                                      • Instruction ID: 644cd14aa207cb8cb94b0bae69de8b5f381ee5e2461142184be71a5935661a41
                                                      • Opcode Fuzzy Hash: a5d876f44726285e610782affb596e396057544a87555da4cd9e59728cb49185
                                                      • Instruction Fuzzy Hash: 67F0497164F3C05FDB43DBB09E625987FB59E4320431A81CBE088CB2A3D527990AD7A2
                                                      Function 0664D802 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 508bb1346af74eadfdd347f366125e411e4f35a2dc4c5487d115d861d7c6cdea
                                                      • Instruction ID: ae2eee0a694f5086f80682da0ddafc5c10e0b5b4d809631083b5661e1ee80175
                                                      • Opcode Fuzzy Hash: 508bb1346af74eadfdd347f366125e411e4f35a2dc4c5487d115d861d7c6cdea
                                                      • Instruction Fuzzy Hash: 8AF0903260D2009FC701DF54E99185EFBF6EFD5600714859FE49697214EE329D16CBA2
                                                      Function 014DD7F0 Relevance: .0, Instructions: 36COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544608491.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_14dd000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7ee5da3657ee835dfc83a26f036cf8141275629a70d16c565f6113f94a554020
                                                      • Instruction ID: 77e8310ff44a3c1ce92136530a19bb89d01e91df5821908f3382e78fbe4bcfc0
                                                      • Opcode Fuzzy Hash: 7ee5da3657ee835dfc83a26f036cf8141275629a70d16c565f6113f94a554020
                                                      • Instruction Fuzzy Hash: 7EF0AF718043449EEB118A0ACCC8B63FB98EB40720F18C45AFD184E293C2799844CA60
                                                      Function 0664EDAF Relevance: .0, Instructions: 31COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ee10c36ec977598f57752bd2eb7e4f0578eaa378621c5082d37936bee4f6eb6
                                                      • Instruction ID: 80aabcf9545fec1cda78949cf714812f7034d33053d352bc9ce0cfaebf59c485
                                                      • Opcode Fuzzy Hash: 8ee10c36ec977598f57752bd2eb7e4f0578eaa378621c5082d37936bee4f6eb6
                                                      • Instruction Fuzzy Hash: 63F02B767053005FD305D769E9E176ABBAAAF88121B5881AAE108CB397DD60DC04D3E0
                                                      Function 06643328 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a53bd7a4064243d76dc3febf704a2721b79183fd17d0b0ba3f9a857e7704fa1d
                                                      • Instruction ID: 7a5820af4237c65c12e60f4263d84ef6ef33ac456cae29c21c415d74652b699a
                                                      • Opcode Fuzzy Hash: a53bd7a4064243d76dc3febf704a2721b79183fd17d0b0ba3f9a857e7704fa1d
                                                      • Instruction Fuzzy Hash: A6F03035301114AB8715AA4DE88987FBB9AFBC9660754802DF50AC7354CA389C069791
                                                      Function 066421E1 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c29a03d03871dc36ed0e3da9f91e871605cf5c173f024d452a6259315839627a
                                                      • Instruction ID: 02a57fdff0aff2bea7d1b7dda94b467cf8620bc1e55afc2e9a2218239a452554
                                                      • Opcode Fuzzy Hash: c29a03d03871dc36ed0e3da9f91e871605cf5c173f024d452a6259315839627a
                                                      • Instruction Fuzzy Hash: 1BF030721081D86ECB42CF948C10DBA3FB99F4A114B098086F994D6152C17AC921DB70
                                                      Function 0679CAC1 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ea6ecd55db09d5e44d847cc0c10fbf54f2d029b7e4c25a80c4912a3f6c51aa44
                                                      • Instruction ID: da65a4896e98d1ea8c8d9114bd496023fa97d3b1a31a1e90ee21950b4962def1
                                                      • Opcode Fuzzy Hash: ea6ecd55db09d5e44d847cc0c10fbf54f2d029b7e4c25a80c4912a3f6c51aa44
                                                      • Instruction Fuzzy Hash: 1BF02735205280CFCF528F64E4642257FB1EF81214F0AC4EBC4458B2A7C738EC46C791
                                                      Function 01530898 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b4beeb85c95aba00e0e8a1e68130188db38fa2c5b0e3c05c97f0024d1462b93a
                                                      • Instruction ID: da8f6ed6a5a6e252efd8bd2ce24f2684af95480b74f26612474d5aeece57387d
                                                      • Opcode Fuzzy Hash: b4beeb85c95aba00e0e8a1e68130188db38fa2c5b0e3c05c97f0024d1462b93a
                                                      • Instruction Fuzzy Hash: 54F0A074901305DFDB40DFA4D8686EDBBF0FF91219710059AE406DF161E7300E01CB91
                                                      Function 01530861 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2b425d8d9a4f6cdd7f00e27fc3e9aaa3405ec77df1642ce5aecf4d67d1a2adfd
                                                      • Instruction ID: 3c0e66bc882083dbab00870a19009653441e0c7182ae8ca1c1b6e453a6241326
                                                      • Opcode Fuzzy Hash: 2b425d8d9a4f6cdd7f00e27fc3e9aaa3405ec77df1642ce5aecf4d67d1a2adfd
                                                      • Instruction Fuzzy Hash: 23E0266014DBE14FC3534BA85CB42D17FA0ED4312938A01D785C1CA166E26C5C45C7A2
                                                      Function 06641BD8 Relevance: .0, Instructions: 27COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 45baf327af66e032ab0545bb3290ed36298df943eae9f265831fddd88b5532bf
                                                      • Instruction ID: ddda2d4a06eed2f8c54ceb3c060b51b2650379b1c8b35ff7c289bd483d49035e
                                                      • Opcode Fuzzy Hash: 45baf327af66e032ab0545bb3290ed36298df943eae9f265831fddd88b5532bf
                                                      • Instruction Fuzzy Hash: F4E065361082855FC341DF54E851C66BBF5EF86104709459AF494C72A2EA25DD16CFA1
                                                      Function 06641B94 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56f7f65391d0b9c0e9c365ac32fa925a280191b4078f23f788a70c96e85e9805
                                                      • Instruction ID: 99402e1b88ad9b41e03f6a421c1ce7413fcb8baaca6d713a194f9f86118df443
                                                      • Opcode Fuzzy Hash: 56f7f65391d0b9c0e9c365ac32fa925a280191b4078f23f788a70c96e85e9805
                                                      • Instruction Fuzzy Hash: 2FE06D3290A388EFC702DFB0ED6155A7FB59E0320071980DBE480DB1A2EA318A19C752
                                                      Function 066421F0 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 40b153383e6de520665622cd19abb3d691de445f4deecf93faaa50dfd1b24b64
                                                      • Instruction ID: 704a75d8dcbbdfedf44427af84db028faf61110e9c107736e094e3b967943e86
                                                      • Opcode Fuzzy Hash: 40b153383e6de520665622cd19abb3d691de445f4deecf93faaa50dfd1b24b64
                                                      • Instruction Fuzzy Hash: 81E0ED721041987F8B41CE95CC10CFA7FEDEB4D265B088046FE98D2151C576DD21EBB0
                                                      Function 0664FAD1 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dae3c873f400b04992f28783ac13088e4491881bf7a0f9eac8388fbe411615b8
                                                      • Instruction ID: 5b7e1fe02f8f7ff250b0b0c51fead0d1f32cfe1fb022f57d4c1eaebcf7e4b179
                                                      • Opcode Fuzzy Hash: dae3c873f400b04992f28783ac13088e4491881bf7a0f9eac8388fbe411615b8
                                                      • Instruction Fuzzy Hash: 6DE0322044EBC09FC3029B348C62A417FB19A83200B0E84EB8894CB2A3D62D980AC722
                                                      Function 06791BE0 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee6e5dadd43a7ee8208c480e04efe459f13e0a4b90c1efb4166e3b9f87c1f236
                                                      • Instruction ID: d77354f5f039bf24018ab23801672832aca0850a320a0307123041c3da97dafe
                                                      • Opcode Fuzzy Hash: ee6e5dadd43a7ee8208c480e04efe459f13e0a4b90c1efb4166e3b9f87c1f236
                                                      • Instruction Fuzzy Hash: 5DE08C361452547FCF028E94CD11CE67F36EF86210708C69BFC569B362CA328E22DBA0
                                                      Function 05F8D490 Relevance: .0, Instructions: 24COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 36efc0d4b1e0f94b0174edab69a28cb484ec487364fbb88d2db975fc1baf61ea
                                                      • Instruction ID: 8af9f828fb66bf308e916d5c1031e9362a379f9ef42d0eeec6b1b1fc82a98153
                                                      • Opcode Fuzzy Hash: 36efc0d4b1e0f94b0174edab69a28cb484ec487364fbb88d2db975fc1baf61ea
                                                      • Instruction Fuzzy Hash: 0CE0C03151060C9FCB01EE98D8418D9BB79EF4A214B01C25AFD4467210EB71E965DBD1
                                                      Function 06791D09 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 13772d1fffbb587c99fea7e211b04ce481221500f510161de5ab23381878958a
                                                      • Instruction ID: bce705d7ff883697468328a951c1cef9e72f39d677afd988064adb55c3ab7eba
                                                      • Opcode Fuzzy Hash: 13772d1fffbb587c99fea7e211b04ce481221500f510161de5ab23381878958a
                                                      • Instruction Fuzzy Hash: B0E04F761092946FC742CEA4DD61AA67F69DF46310708C49BF898CB292CA31DD21DB70
                                                      Function 066433B8 Relevance: .0, Instructions: 22COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 569ebb185a9989062607292d9928ad43a7ee8d886fd4dfe8d1ea35fe78bf2bba
                                                      • Instruction ID: 2cdbad2e9950f4b7d3bdda9ac60fba0f1cfa9d81ce101ba2fea293df7e2d732f
                                                      • Opcode Fuzzy Hash: 569ebb185a9989062607292d9928ad43a7ee8d886fd4dfe8d1ea35fe78bf2bba
                                                      • Instruction Fuzzy Hash: AAE04F32109184AFD702CF94D9928A6BF31EF96220718C48BE8548B252C633DD22DBA0
                                                      Function 06644F79 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d0fde52c8bd7a38067b6ebf6c9121f2a418f4ca31ecb36a64bbedfb850c8c7dd
                                                      • Instruction ID: 4a06c2c527555ed0784bd5fb5ad6f6c916841a5f06cc50b83ea0e41b4b061d20
                                                      • Opcode Fuzzy Hash: d0fde52c8bd7a38067b6ebf6c9121f2a418f4ca31ecb36a64bbedfb850c8c7dd
                                                      • Instruction Fuzzy Hash: 57E048361042949FD702CE64D850D667F75DB96214B0980DBF9448B153C5B2C925DB61
                                                      Function 0664FD68 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 61f1ffc6003e29d3410da361b4cbe5e5ac5e17fd5e3de2563f503817b6bad253
                                                      • Instruction ID: 044ba9456f88f8a5d74b784ae9f967ec1ed7c6301271f48c72f9022d912f0f97
                                                      • Opcode Fuzzy Hash: 61f1ffc6003e29d3410da361b4cbe5e5ac5e17fd5e3de2563f503817b6bad253
                                                      • Instruction Fuzzy Hash: 25E08632505384EFCB51CF78D9D169DBBF5DF4620471005DED054CB211E9314A01E721
                                                      Function 06644938 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 57b5cf893a169028aa54e7dff9028145901cd71f7d3279b0e8fcee26e78da7be
                                                      • Instruction ID: 1a0bef5e4ff20e2fa4ab7bae286208c7d3c8c03db591c6c077a63769fc012e23
                                                      • Opcode Fuzzy Hash: 57b5cf893a169028aa54e7dff9028145901cd71f7d3279b0e8fcee26e78da7be
                                                      • Instruction Fuzzy Hash: 0FE0483A1081946FCB029F94DC10CE57F759F4A1107098097F99887163C5728922EBB0
                                                      Function 0679A678 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 503bca5c38e7629669fd3019beaad8069045182d6c5e296b0cb145e657007116
                                                      • Instruction ID: 43b5d4be206fe976d72248cd543664e3c704e6ff1192731f924f41d1a87a24de
                                                      • Opcode Fuzzy Hash: 503bca5c38e7629669fd3019beaad8069045182d6c5e296b0cb145e657007116
                                                      • Instruction Fuzzy Hash: 31E08C311092009FD701CB98E900947BBF29FC6A00B0A848FE8809B222C221AC17CB72
                                                      Function 0679BCC1 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc45a59282fd53b52fe7ffc2c66340664f9f33a71d57f9f5de8c5a21961c1fea
                                                      • Instruction ID: b270c1c9c5406b72c7a38f85611063943acb55122a6481cf8cfbf6386c29ff5f
                                                      • Opcode Fuzzy Hash: bc45a59282fd53b52fe7ffc2c66340664f9f33a71d57f9f5de8c5a21961c1fea
                                                      • Instruction Fuzzy Hash: C3E08C2410C2A05FC302CA209D50CA7BFB49B9A600719858AF880D6252C1119C17CF72
                                                      Function 05F8ADB9 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9dd780195cec9f6a55e47fab3063a92c6bc36cfdc916d3745e49c704f23eb11b
                                                      • Instruction ID: 654411e39ad49055ebf87efebfd8b3204d0ee2fe1e16f8a49b4ab3fae9aec956
                                                      • Opcode Fuzzy Hash: 9dd780195cec9f6a55e47fab3063a92c6bc36cfdc916d3745e49c704f23eb11b
                                                      • Instruction Fuzzy Hash: 0BE04F3251C2808FC311DF6CD491999B7F5AF96200B18888FD8C097251EB21EC06C762
                                                      Function 0153124F Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9d55b91336222cb7c79d14d29f50e55bccd8870cf177d976a5b4d9d6c2a5d55e
                                                      • Instruction ID: 5bb2f2908a2732998723be61e8ff0c33096171e1b430a9ea76c70432b6a87e74
                                                      • Opcode Fuzzy Hash: 9d55b91336222cb7c79d14d29f50e55bccd8870cf177d976a5b4d9d6c2a5d55e
                                                      • Instruction Fuzzy Hash: A2E01276F513518FC7915FA8D85948577F5EF566A130104A6E406CF331DA748C028B95
                                                      Function 015308A8 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e22e3ca6758df6ca6214a3554316f221a9e4de51cce9548e0e4865847173dbd1
                                                      • Instruction ID: eb6258baaab720c734f474a4c88254edcb1a201b0d2d59c086952193dcc8135e
                                                      • Opcode Fuzzy Hash: e22e3ca6758df6ca6214a3554316f221a9e4de51cce9548e0e4865847173dbd1
                                                      • Instruction Fuzzy Hash: 65E086B4A05309EFD700EFE4D52455CBBF5FB84205B504499F4069F250DA311F0197D1
                                                      Function 06640649 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1a6ae271aafd44960fad46c55bdba0810f66021e4ac9deacc382f8ce65853cb2
                                                      • Instruction ID: 5c6afaed920e8c6d1960a72d1131389aa6bd3c2475e3b131441639d3dd6676e4
                                                      • Opcode Fuzzy Hash: 1a6ae271aafd44960fad46c55bdba0810f66021e4ac9deacc382f8ce65853cb2
                                                      • Instruction Fuzzy Hash: 71E0467110D2809EC302CB68E990D26BFF49FE6604719848EE8C0C7253C622DD2ADB72
                                                      Function 0664CF78 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cde4c05c91199b6132d416fd991779d04325d9763e19c60e2f16f5c2e3d3baaf
                                                      • Instruction ID: c985783c16230bdc74a670e2b5671d378fd9b8fc37582a089f07e40af849481b
                                                      • Opcode Fuzzy Hash: cde4c05c91199b6132d416fd991779d04325d9763e19c60e2f16f5c2e3d3baaf
                                                      • Instruction Fuzzy Hash: 67E0EC362082819FD351CF15D891952BBF5FF96200715994EE4D187651CB259856CB21
                                                      Function 06790640 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e81cd967bb17842bf29cc9eac42aaff2c6f7d53e4423e932e3713690898ecb2f
                                                      • Instruction ID: d0aefe295527780ca1e4c749cded2f94f6f54082f80c1cdd9f243a2d13ba0413
                                                      • Opcode Fuzzy Hash: e81cd967bb17842bf29cc9eac42aaff2c6f7d53e4423e932e3713690898ecb2f
                                                      • Instruction Fuzzy Hash: B6E0C231A0A748AFC701DFA888105EE7BF69F46300F5041E3E504DB262E8324F18C761
                                                      Function 06799778 Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7dcc0658a5c9444ea24fbfc9f452ec90feae5a482728760c31e29750ba552e64
                                                      • Instruction ID: dc69970119b5444b3d982af60d23e85768571d1c08e5479947f058559efe2dfa
                                                      • Opcode Fuzzy Hash: 7dcc0658a5c9444ea24fbfc9f452ec90feae5a482728760c31e29750ba552e64
                                                      • Instruction Fuzzy Hash: CFE08C752093809FE342DB60E851841FFA2AFC3110729C88BE4808B223C612980ACB61
                                                      Function 0679B29B Relevance: .0, Instructions: 19COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1f19ecab228465851955bd8d0bab7eaf71b8bd378c4868a5644b8d81f0782d0b
                                                      • Instruction ID: 5fe9960ce6bf46e91802ecadf6daa8af82de7e007ac72955ff4c9fd79ae865b4
                                                      • Opcode Fuzzy Hash: 1f19ecab228465851955bd8d0bab7eaf71b8bd378c4868a5644b8d81f0782d0b
                                                      • Instruction Fuzzy Hash: B0E0C27110E3C24FC742DB10E89086ABF72FF92218B1989CEE4904B293C7218E0BCB71
                                                      Function 066432E9 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c1ab4e74039bd48bdec0f7efdcfb4dabc967e2f4857707c0db965d0831126582
                                                      • Instruction ID: cbe47b051b9988b103396b76cd3f4769c07deddff79c714d108ba2abbbd9ad99
                                                      • Opcode Fuzzy Hash: c1ab4e74039bd48bdec0f7efdcfb4dabc967e2f4857707c0db965d0831126582
                                                      • Instruction Fuzzy Hash: 26E0EC3A10C2809FC312CF54E991D55BBF1AFDA600729889EE4D087252CA269C16CF72
                                                      Function 06647CA2 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1da7b67e5be9f888e6309e189845eae975370287bf51af190fb78491f9ef0843
                                                      • Instruction ID: 9587debe1af58d87b18f2f361c3b810f2de58c09762ab4afb84f3b4025be0018
                                                      • Opcode Fuzzy Hash: 1da7b67e5be9f888e6309e189845eae975370287bf51af190fb78491f9ef0843
                                                      • Instruction Fuzzy Hash: BDE0467211D3818FC301CF14D880851BBB1FF8A310725888ED4A08B252CB32A827CB61
                                                      Function 06644948 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a8e6a07dc12e02ad3e5ed504a5308a9fd4191ff32c073443818bcad8348e5d37
                                                      • Instruction ID: 74bd5e682b91a2d78f462f720d40d5774850364329bd47b2e62bddd07364fa43
                                                      • Opcode Fuzzy Hash: a8e6a07dc12e02ad3e5ed504a5308a9fd4191ff32c073443818bcad8348e5d37
                                                      • Instruction Fuzzy Hash: B2D012321001187F8B01CE84DC01CA67B6DEB89260704C056FD1487211C672DD22DBE0
                                                      Function 0679B418 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7fcdedbca12365b1a1caccd3f557563a67bb05216db5e589c82420bf6315ecc8
                                                      • Instruction ID: bb00ded5279c468e50a20ed2fcaea3fe63f5dc6aeabf4dac993c6a34047af187
                                                      • Opcode Fuzzy Hash: 7fcdedbca12365b1a1caccd3f557563a67bb05216db5e589c82420bf6315ecc8
                                                      • Instruction Fuzzy Hash: 6DE0BFB110D2819FC302CB54E919C56FFA69B96514709C4CEE484AB263C6259C15D773
                                                      Function 06791948 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 35bdbf9de22335589c858df8cfaece9fbbdb110bc568381f4b51c4a5dec9a639
                                                      • Instruction ID: 0b62c7c938d7fb90a1b380a5ebce6ba53d5d336ee567bf657e8f697c3f6169fd
                                                      • Opcode Fuzzy Hash: 35bdbf9de22335589c858df8cfaece9fbbdb110bc568381f4b51c4a5dec9a639
                                                      • Instruction Fuzzy Hash: 25D0177920D3818FC342DAA4E811841FB71FF86610719CD8AE596DB253CA31DC8BCBA1
                                                      Function 05F8E9C8 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 64bdc42de40e835106a76599a1e34107c263271f70ea39fdc2aa5568455e80de
                                                      • Instruction ID: 5ef41f5677cf679e9c162dcf53541b7e93ded849a3f0e26eaf61386b2cdb47d3
                                                      • Opcode Fuzzy Hash: 64bdc42de40e835106a76599a1e34107c263271f70ea39fdc2aa5568455e80de
                                                      • Instruction Fuzzy Hash: C9E08C3210C2819FD302CF64EA60946FFA2AF97600B0889CAE580DB213C532CC56C762
                                                      Function 05F8C820 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 185e037c771b7ede05dbb0d84bbeb6b533eba7023bc0d43e770cf42bef0829b6
                                                      • Instruction ID: bdf386be34230432ab6be1f75334eade1b59a8686500a3019ba128a7d0aff9de
                                                      • Opcode Fuzzy Hash: 185e037c771b7ede05dbb0d84bbeb6b533eba7023bc0d43e770cf42bef0829b6
                                                      • Instruction Fuzzy Hash: 70E0E23610C3809FC302DB58D8E1866FFB1EB9A210719888AE4E487253C622A857CBA1
                                                      Function 0664FA10 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ba0f7a701db5203026b18556a0989cd6154fc1696c2c58aaca6c1452dd317946
                                                      • Instruction ID: a16c4d8adfce4f0ffdd84b8c032813797251062bd8f751a8abb0ef2c745c66ae
                                                      • Opcode Fuzzy Hash: ba0f7a701db5203026b18556a0989cd6154fc1696c2c58aaca6c1452dd317946
                                                      • Instruction Fuzzy Hash: B7E0C272D06548EFCB50CFB4DA26B9D7BF0AF4A200F1400EED4489B200E9324A00D741
                                                      Function 06644F88 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
                                                      • Instruction ID: d8e6f52d84d0e9a7535ad6c92223e7db018a165c074aefbb2bfd7201b7f166f6
                                                      • Opcode Fuzzy Hash: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
                                                      • Instruction Fuzzy Hash: D3D05E322001187F8B00CE88DC00CA67BADEB89220B04C05AFD5887241CAB2ED22DBA0
                                                      Function 0664DC70 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 61c466d2fc1c075c6826c32f438f95bc5599c593f1cb4e722b0c9499469c906f
                                                      • Instruction ID: 8f844e69107164a8bcb1bf931f6b6713c690a1ee53f681f2dc7b55d97ce27107
                                                      • Opcode Fuzzy Hash: 61c466d2fc1c075c6826c32f438f95bc5599c593f1cb4e722b0c9499469c906f
                                                      • Instruction Fuzzy Hash: 43D0177A2082805FC341CB24C8D1911BFF4EFAB201329869EE0D5CB252CA219902CB25
                                                      Function 0679B4FB Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b3adea7d4d747c550acb83d955f734be1eb6e4502a662d52692283b9fab80b05
                                                      • Instruction ID: f7a11b2224b88f5152464a26cb88e837a54abef53fe67869f6a82b832602c0d4
                                                      • Opcode Fuzzy Hash: b3adea7d4d747c550acb83d955f734be1eb6e4502a662d52692283b9fab80b05
                                                      • Instruction Fuzzy Hash: DCD05EB010A3914FD342DF04D850C62BBB1FFC6A00B1589CBF8948B262C7229D16C766
                                                      Function 06791D18 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
                                                      • Instruction ID: d8e6f52d84d0e9a7535ad6c92223e7db018a165c074aefbb2bfd7201b7f166f6
                                                      • Opcode Fuzzy Hash: 8ab869af69afa5e3705abfa003fbeb05737d94153e11a484e1e7a4c73e3e153c
                                                      • Instruction Fuzzy Hash: D3D05E322001187F8B00CE88DC00CA67BADEB89220B04C05AFD5887241CAB2ED22DBA0
                                                      Function 05F8EED0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7558b9c0477357e82362565297ea408876ca3f21e724d0dff67e1d8f1b5ca298
                                                      • Instruction ID: b9d4d2ed522cbf709cdf90d996df6546b7d3c5b745d0fad5d493d1da0be85566
                                                      • Opcode Fuzzy Hash: 7558b9c0477357e82362565297ea408876ca3f21e724d0dff67e1d8f1b5ca298
                                                      • Instruction Fuzzy Hash: 03E0EC3510C3816FC701CA24C894852BBB5AF86214714898EE4A587292C7229D07C761
                                                      Function 05F8D9A8 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8175247dc4585b6baa264f5900498cd25977495e1dd478936a541be4165f3d81
                                                      • Instruction ID: 703d5b012f774344aab657c6aa44bb94f80fb6c4ed99460b0b3916558e92ba2e
                                                      • Opcode Fuzzy Hash: 8175247dc4585b6baa264f5900498cd25977495e1dd478936a541be4165f3d81
                                                      • Instruction Fuzzy Hash: 2CE0123511D3C15FC702C7789860952FF71EFD650470DC9DBE49487253C6219817C762
                                                      Function 05F8E350 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 390354e9fff57a9c699fde7e76ae469216b175c3db4d0640f6e1864ecdf9636e
                                                      • Instruction ID: acb36965725d73724ea31865b98fc1c90a1d92c9ce21016bbf92d1f25e2b739a
                                                      • Opcode Fuzzy Hash: 390354e9fff57a9c699fde7e76ae469216b175c3db4d0640f6e1864ecdf9636e
                                                      • Instruction Fuzzy Hash: 26E0EC7210C3805FC751CE64E8D1951BBA2AF9A300719484ED590C7252C625D857DB31
                                                      Function 0664D758 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8d4e1ebab224344b02596413c91cd8c58646eb26848cb6405d8ae91696a778cf
                                                      • Instruction ID: 3e412b1678f02150743c288f154abafe4c0434910cb92f56c8c6aa44d6f9603b
                                                      • Opcode Fuzzy Hash: 8d4e1ebab224344b02596413c91cd8c58646eb26848cb6405d8ae91696a778cf
                                                      • Instruction Fuzzy Hash: B1E0EC7510C2818FC742CF54EDA1D45BBB19F86600B19888EE48197256C6219C17DB32
                                                      Function 066433C8 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
                                                      • Instruction ID: 877f0f7dcd895513f3842dead994786ff947c22c1e70ab8d1161cd6d10d093a9
                                                      • Opcode Fuzzy Hash: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
                                                      • Instruction Fuzzy Hash: 04D09E36200118BF9B05DE84DC41CA6BB6AEB89660B14C45AFD1547351CAB3ED22DB90
                                                      Function 06645FA8 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1669bf22284e44fc115c6035d2e0a1fc815bbf5ef4bfe87207b0d946731b33a7
                                                      • Instruction ID: 7eff80890779ba2b6ccc031c30065759fd372fe3f6cbfbc9def357ad67dda0bf
                                                      • Opcode Fuzzy Hash: 1669bf22284e44fc115c6035d2e0a1fc815bbf5ef4bfe87207b0d946731b33a7
                                                      • Instruction Fuzzy Hash: 48E0127650C3804FC655CF28E891955BBA2EF976147184C8ED4E0C7393C721E807DB31
                                                      Function 06791B78 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bd3dd01690b6df89c9f8428650d83adf180654844b475f2560f7a6eca49a1c0e
                                                      • Instruction ID: 81b84d85491f7fa5ad5dfb9f4612f15df7d1bc70f9a7e6d13aa7593dc3383182
                                                      • Opcode Fuzzy Hash: bd3dd01690b6df89c9f8428650d83adf180654844b475f2560f7a6eca49a1c0e
                                                      • Instruction Fuzzy Hash: 11D0173610C3914FD342CF68E991991BBA1EF86200B18888AD8E297252CA21D807CB21
                                                      Function 06792B28 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0a6f1769141b6ed22580a995ed90f2b7fce524ef3f4153b738bf3c2e2903a247
                                                      • Instruction ID: ccbbd66880b7e122b84df1be1fdccb7f2eb04e5cee157c8a8cd654a16d98a9ef
                                                      • Opcode Fuzzy Hash: 0a6f1769141b6ed22580a995ed90f2b7fce524ef3f4153b738bf3c2e2903a247
                                                      • Instruction Fuzzy Hash: 6ED09E725191804FD351CB35CA97650BBE5EB93214368889FC495CB252DA26DD07CB21
                                                      Function 06791BF0 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
                                                      • Instruction ID: 877f0f7dcd895513f3842dead994786ff947c22c1e70ab8d1161cd6d10d093a9
                                                      • Opcode Fuzzy Hash: 44ba782675fcdd8aff74ea6f0a83c41e2cb3e78684efea51cd70aa7f2296677b
                                                      • Instruction Fuzzy Hash: 04D09E36200118BF9B05DE84DC41CA6BB6AEB89660B14C45AFD1547351CAB3ED22DB90
                                                      Function 05F8DBC0 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3f51302fbaca920ee68e72827f06f002c58d3b3830ddb974edd4625d0e425e5e
                                                      • Instruction ID: 50fcf785aeecb04834104d6b8f220605b1dfb0f8ea85d545028103b8432c73e6
                                                      • Opcode Fuzzy Hash: 3f51302fbaca920ee68e72827f06f002c58d3b3830ddb974edd4625d0e425e5e
                                                      • Instruction Fuzzy Hash: 3CD05E7A9191409FD301DB388E17080FFB0EA56104708C296C4988B297D631A8278BE3
                                                      Function 05F8BAC1 Relevance: .0, Instructions: 16COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a33819f6014fff70d815e7fab75bb5c6c3d88fc97edcb3045e2f7ae0062a9ed
                                                      • Instruction ID: d61881942c3c057a74760fa0d0ed3f8364733b4bbb42959b36c0abc8511a0607
                                                      • Opcode Fuzzy Hash: 3a33819f6014fff70d815e7fab75bb5c6c3d88fc97edcb3045e2f7ae0062a9ed
                                                      • Instruction Fuzzy Hash: 6DD02E32A06288EFCB02DFB0CA30D8E7FF38B46200B0500E7E054E7162E8328A14DB80
                                                      Function 0664D9C8 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 02701dd76a08a9c27690a146eab4757ee12e04665f95ac686ef53bc4f8c0e508
                                                      • Instruction ID: e24945f033c28929cbc31819fc905dc5e2b58823bda79760c8fd10389ae50ad6
                                                      • Opcode Fuzzy Hash: 02701dd76a08a9c27690a146eab4757ee12e04665f95ac686ef53bc4f8c0e508
                                                      • Instruction Fuzzy Hash: DDD05E372092808FC381CF24D892921FFF5EFD7210328C48ED0C9C7252CA31A912CB21
                                                      Function 0664E588 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 094146b763124e1feaf4c79ac4c36221b5dd6759e781bf4ed9be7016f6e5d260
                                                      • Instruction ID: 0f8b85363a13839e96c56c683e436ffeed63671cd09c106ddd02bd795e933ab2
                                                      • Opcode Fuzzy Hash: 094146b763124e1feaf4c79ac4c36221b5dd6759e781bf4ed9be7016f6e5d260
                                                      • Instruction Fuzzy Hash: 92E012312092414FC321CB28C8A5B16BBF59F8A304F28C8ADD498C7362DB36A807C720
                                                      Function 06799648 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 096269ff6512264585cf08d3b60f7ebadcc8182632ea39512587a35e08fe3940
                                                      • Instruction ID: c17d0fb69a4dd60ca3e71db1c758ee49a24b0249bb9c22bd088d962f8d534aeb
                                                      • Opcode Fuzzy Hash: 096269ff6512264585cf08d3b60f7ebadcc8182632ea39512587a35e08fe3940
                                                      • Instruction Fuzzy Hash: EDD017B16493819FC302EA508850C56BBA5EBD5318B15888AE49047252CB229D0ACB61
                                                      Function 0679D0E0 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 56264830e895e27b1869d987456e078f2c59c336720f99fea32bb66292c65419
                                                      • Instruction ID: a8497cd42e21af86aa772414960ab16d7b43bf2576e028d2f9d46b89dc052072
                                                      • Opcode Fuzzy Hash: 56264830e895e27b1869d987456e078f2c59c336720f99fea32bb66292c65419
                                                      • Instruction Fuzzy Hash: D0D05E242053401F974AC62CC8A4401FFE1DF8B104755C4DEE188CB262DA21BC03E320
                                                      Function 0679397A Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2396be0ea69a1adf1696d6359b23bb065da9bd20b3d66ae1f0c3038c65337f9c
                                                      • Instruction ID: c1ce62e8093b309911c2709fb785d77a23221db185116907688bcdddf59910e8
                                                      • Opcode Fuzzy Hash: 2396be0ea69a1adf1696d6359b23bb065da9bd20b3d66ae1f0c3038c65337f9c
                                                      • Instruction Fuzzy Hash: 47D05E36A01208AF8F00DFA4E94164DB7F5DF09204B5000E9B614D7200EA328A00DB81
                                                      Function 01530AB4 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 28c7d15a5d7d16504433c1336817525c5ff374d98a50952227544a90ef47543f
                                                      • Instruction ID: 93941cb92fa2fa00773990de78e40866d4d7ce7397c03363004b24084321a784
                                                      • Opcode Fuzzy Hash: 28c7d15a5d7d16504433c1336817525c5ff374d98a50952227544a90ef47543f
                                                      • Instruction Fuzzy Hash: BEE08671704315CED7118F1494447A5F7E8FB80311F4A45B6D55A5F292C730C805DB62
                                                      Function 06647A52 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f6b11b31ff0fa0bb4739b3582ff9479547fbdd48f76a165d833c5ea9845fcdc9
                                                      • Instruction ID: ea3611a896ab064fde49d5a37d10be72a7d0a5d41b2dda33354a48f43db419a0
                                                      • Opcode Fuzzy Hash: f6b11b31ff0fa0bb4739b3582ff9479547fbdd48f76a165d833c5ea9845fcdc9
                                                      • Instruction Fuzzy Hash: 50E0127110D2829FC302CF14E950D45BFF1AF96604F1584CEE48097292C7359D26CB22
                                                      Function 0664FA20 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c760d69566f345db1fecca69ce886f5d1d135abe8ea17e73bc8f82cc33acc35
                                                      • Instruction ID: 1fc1f979c5ec164c57d6f4089f9d58bdfa1a4abeda28196bc194b2d3e420ccce
                                                      • Opcode Fuzzy Hash: 1c760d69566f345db1fecca69ce886f5d1d135abe8ea17e73bc8f82cc33acc35
                                                      • Instruction Fuzzy Hash: 80D0C971E0220CBF8B00EFA4D90199EB7F9EB45200B5041A6A508D7210F9325A109791
                                                      Function 06641BB0 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 233d708e13b66910b2db9a821c1cc888078a3a3ce3f76e0d5e04c21f39d70e78
                                                      • Instruction ID: 654fbe69022fb2b430c64ccf1836fb1010da47e3b8b66fcd6fdff908fe23ef94
                                                      • Opcode Fuzzy Hash: 233d708e13b66910b2db9a821c1cc888078a3a3ce3f76e0d5e04c21f39d70e78
                                                      • Instruction Fuzzy Hash: B9D0C972A0620CAB8B00EFE4E90199EB7F9DB46210B9041A6E509D7210F9325A109791
                                                      Function 0664FD78 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c031281d8b5a9d1a31cad376a4a5d0fdf671df186d39f25fab73e7a6cd80fcfc
                                                      • Instruction ID: 26f11bd07170090cc84c3ebc0d906ce2be8ad2ffaecd504b63230367bedce1ca
                                                      • Opcode Fuzzy Hash: c031281d8b5a9d1a31cad376a4a5d0fdf671df186d39f25fab73e7a6cd80fcfc
                                                      • Instruction Fuzzy Hash: 0FD0C971A4220CEB8B40EFA9D94199EB7FADB49214B5041A6A518D7210F9325A109B91
                                                      Function 06790650 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f5ace9d5434cb1ce9322c53bdeba2f1da5d999f29a36aa443697ed22205e960b
                                                      • Instruction ID: 4c189b32162788e7c50c4474ad05dcd1b381b7098f9c0be26e2d20e189b87568
                                                      • Opcode Fuzzy Hash: f5ace9d5434cb1ce9322c53bdeba2f1da5d999f29a36aa443697ed22205e960b
                                                      • Instruction Fuzzy Hash: 02D0C971E0220CAB8B00EFA8D90199EB7FADF45200B5041A6A508D7210F9325A109B92
                                                      Function 0679394B Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 519989027ec64afd75fa1b9687c4724d10c4e0ea68712d4f24456f9a6dbf19fd
                                                      • Instruction ID: cf310a7334563d6cfebbf0dfad5286be5e63a07d7ac722b06e87930c7c0b7a3a
                                                      • Opcode Fuzzy Hash: 519989027ec64afd75fa1b9687c4724d10c4e0ea68712d4f24456f9a6dbf19fd
                                                      • Instruction Fuzzy Hash: 2BD05E756092405FD312CA24C850912FBB59F86110318C49EA084C726ADB259C02C7A1
                                                      Function 067921B8 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 63372c617072910273b7476d796817338a1902e39397c89ca6e05f6a28c8ab71
                                                      • Instruction ID: d5d3cae1f0822de4cda77aa1b680d199ac759be0e049aee45e7d0c6ed6b8b51d
                                                      • Opcode Fuzzy Hash: 63372c617072910273b7476d796817338a1902e39397c89ca6e05f6a28c8ab71
                                                      • Instruction Fuzzy Hash: 0FD012A15191404BC3C0DB38CD5A9D4FBB1EB51240318C595D548CF757EE31D907D751
                                                      Function 06793980 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8e0711f7411355e6fb6e44b742efdfd44b53a53071a96eeb18cadd5fa03bd040
                                                      • Instruction ID: bcdc63452998177d0afd761fa0a394dca804a57dd8ac02458b5d0cdab69876b3
                                                      • Opcode Fuzzy Hash: 8e0711f7411355e6fb6e44b742efdfd44b53a53071a96eeb18cadd5fa03bd040
                                                      • Instruction Fuzzy Hash: B8D0C971A0230CAF8B04EFA4DD0199EB7F9DB45204B9041E6A618E7210F9325A109792
                                                      Function 05F8FB28 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 989d93b32bee8adde8487276e6be8e5d5d05bcd3afd495a529ccf5131ec6d313
                                                      • Instruction ID: 2dd137aecff0ea759a60f1c77a2f9a729d247a31d1b2259e4c2039ea551ef1ff
                                                      • Opcode Fuzzy Hash: 989d93b32bee8adde8487276e6be8e5d5d05bcd3afd495a529ccf5131ec6d313
                                                      • Instruction Fuzzy Hash: 45D0C7721092809FC351CB24C8D5D55FBF4DF5721075AC49ED495CB256CA359D17DB30
                                                      Function 05F8BAD0 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 27c603ab2e47d7203244db3261f6b99c82914cecf51c50e4cb072208e25fa815
                                                      • Instruction ID: d9bc7e137fd44aaeb24086165be91ee0e9c643262c9c957cf1af5a200df220a8
                                                      • Opcode Fuzzy Hash: 27c603ab2e47d7203244db3261f6b99c82914cecf51c50e4cb072208e25fa815
                                                      • Instruction Fuzzy Hash: 4AD0C971A0220CAF8B00EFA4D95199EB7FADB46210B5041A6A508D7210F9325A109791
                                                      Function 05F8A210 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 990f1fece4147b34421cce432669652d9baaa9e95de4f8354a73731a70a9a5a0
                                                      • Instruction ID: 2a0cdf575877e952c63cade87720743524c8e8c4e3fbc642f0029b0f9f6c3957
                                                      • Opcode Fuzzy Hash: 990f1fece4147b34421cce432669652d9baaa9e95de4f8354a73731a70a9a5a0
                                                      • Instruction Fuzzy Hash: 10D05E3410D2814FC391CB10C8A68D2FF70AB8620070CC6DBE8888B253D631CC03DBA6
                                                      Function 06640658 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 791868b2b6d4904eca63423b42afb3773cf3bd7afed7f015f908fe64dc81cf6d
                                                      • Instruction ID: 1d2c5b51030abd186a83bee4b09449a282c16bbf154cb9b97365610c327b5c4c
                                                      • Opcode Fuzzy Hash: 791868b2b6d4904eca63423b42afb3773cf3bd7afed7f015f908fe64dc81cf6d
                                                      • Instruction Fuzzy Hash: B8D0C9712081219F9244CA48E950C6BB7E9DBC9A10B14884EB88493241CA62DC16CBB2
                                                      Function 0664AC49 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e4fe2904453246581ad90cc50bcbfd0ccd51609274a36e8e0f21b766558a480f
                                                      • Instruction ID: bed32f60db0ce7d5b566134af850de387cf5eb9e199777fd2df8366bcecdfdf9
                                                      • Opcode Fuzzy Hash: e4fe2904453246581ad90cc50bcbfd0ccd51609274a36e8e0f21b766558a480f
                                                      • Instruction Fuzzy Hash: 1CD0C97265E2814FC312C734CD9B904FFA1DE8320435D84DEC098CB6A7DA29D907C766
                                                      Function 06792F20 Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: acdca7eef7a51bb599395b712f00ee524e0769026de7d4c98e6024e0b442181a
                                                      • Instruction ID: 52e4bac4f5f6681b76acdb1c486ea8cb64a6c021d37d8752bb6f98bfd6f9601b
                                                      • Opcode Fuzzy Hash: acdca7eef7a51bb599395b712f00ee524e0769026de7d4c98e6024e0b442181a
                                                      • Instruction Fuzzy Hash: B4C0806014A280BFC743D6208C618267F704E8200431944D7E444CF3A3C7159E37DF93
                                                      Function 05F8C40A Relevance: .0, Instructions: 13COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cf6164c09e007fbe134497b88c9f9d8dac7c53295c116fbdcb4cc088b39db928
                                                      • Instruction ID: 6d294324874a1fae9b07bcf4127d40aa2df7bc32c9e402933e2bea9d8c503f1b
                                                      • Opcode Fuzzy Hash: cf6164c09e007fbe134497b88c9f9d8dac7c53295c116fbdcb4cc088b39db928
                                                      • Instruction Fuzzy Hash: 3CD0677614E2C05FD312CB34D891911BFB1AF9B21471A84DED4D5CB252DA259806DB21
                                                      Function 0664D228 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6fd5862abba9300e25b077a0ac4af4b5da7c8fab61ce18239a04dd38772a8edf
                                                      • Instruction ID: 805465856a0e97f1801a7b9e58a9ccc16fe6aa036e262aa7ced1ad80dc8590cd
                                                      • Opcode Fuzzy Hash: 6fd5862abba9300e25b077a0ac4af4b5da7c8fab61ce18239a04dd38772a8edf
                                                      • Instruction Fuzzy Hash: 59C012752142125BD254DA04C841D66B3A6FFC8314F14C86EE85083345CF76DC07C7A0
                                                      Function 06649EE8 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d65e5b6af05d690824ce183d8beaa52cb44500ab0cfb326470b6cb162210b4af
                                                      • Instruction ID: be30ff3f4adb22f2813841100dbdc5bafbe452cd48ba902ea8f9ab98109689be
                                                      • Opcode Fuzzy Hash: d65e5b6af05d690824ce183d8beaa52cb44500ab0cfb326470b6cb162210b4af
                                                      • Instruction Fuzzy Hash: 3BD09E252592819FC302DB14C861855FFB1AF9A204719D9DED49C8B353DB31E903C756
                                                      Function 0664EC41 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b48001cf110fc5e8cdea690640548ded28526e97ec86748e4e4c9eea2f709bc5
                                                      • Instruction ID: ec0e44cd30fec66325889e8a509a4e784497184c2587c35a90d58686ece8998a
                                                      • Opcode Fuzzy Hash: b48001cf110fc5e8cdea690640548ded28526e97ec86748e4e4c9eea2f709bc5
                                                      • Instruction Fuzzy Hash: CDC0122004A2909FC342EA24CCB0882BF294E6B200309C1CAE048CF253CA1A8E03C3A2
                                                      Function 0679B428 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                      • Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
                                                      • Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                      • Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2
                                                      Function 06790A08 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                      • Instruction ID: 48e8204161933d4df9c7b41a33249025f43fd015cf28c75e97648b457401bf24
                                                      • Opcode Fuzzy Hash: 9742d7865735c7252f6c48a7c294f1d1b4f483eb85901c8c33943e63f37f990d
                                                      • Instruction Fuzzy Hash: 84D012752081119F9204CF44E940C6BF7E6EFC8B10B14C84EB84053310CA72DC17CBB2
                                                      Function 01531BDC Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ef160ca01cddac7fd0876d0b57479089db1f867a23b2f635a9fb224b55ee0ed4
                                                      • Instruction ID: 2a58a7cd8e58de1e81852a22e3013aea43ba0161e069634d22e112ba7c4e7546
                                                      • Opcode Fuzzy Hash: ef160ca01cddac7fd0876d0b57479089db1f867a23b2f635a9fb224b55ee0ed4
                                                      • Instruction Fuzzy Hash: FBD0A734A00044EBCF052EA0E8544BC3772FB88312F108819E4015B364C6324C548701
                                                      Function 01530C69 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4fd2679cbf28429cf8ae82dc400da3f8076519f29923c718b50f122b39e944a
                                                      • Instruction ID: f7684012e16fd051b7161ed9e5442689d9ec40787ff0758338ef8c94f40624d2
                                                      • Opcode Fuzzy Hash: a4fd2679cbf28429cf8ae82dc400da3f8076519f29923c718b50f122b39e944a
                                                      • Instruction Fuzzy Hash: 00D02237D48BA48EDB2212244C54299FBBC7B82111F0B045BEC92EB2D7E320E40B834B
                                                      Function 06645FB8 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
                                                      • Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
                                                      • Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
                                                      • Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0
                                                      Function 06790A02 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65a09dd2ef4805d02ad0d9a5408f3583720cef3bb1f77ca7d95dd0e92c219b28
                                                      • Instruction ID: 84e6c6b6c22adcb537ad217077bc2981a80df1c489ad0d4ba8b014a82c50db05
                                                      • Opcode Fuzzy Hash: 65a09dd2ef4805d02ad0d9a5408f3583720cef3bb1f77ca7d95dd0e92c219b28
                                                      • Instruction Fuzzy Hash: 87D0C9762081929FC211CF98FA90C0AFBE2FFC9B10B198C4DE49053252CA32DC16CB72
                                                      Function 06791B88 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
                                                      • Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
                                                      • Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
                                                      • Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0
                                                      Function 05F8EEE0 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
                                                      • Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
                                                      • Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
                                                      • Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0
                                                      Function 05F8C830 Relevance: .0, Instructions: 11COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
                                                      • Instruction ID: 0a79cfcc9f3950630def7aa8d5064f7db411a5ec17eeb1af5eeabda724e68817
                                                      • Opcode Fuzzy Hash: b42eb4a4237f3f300b34101a9c64c7a2a34653e472d88958374a96a308d26003
                                                      • Instruction Fuzzy Hash: 8EC012752082209F9244DA08C840C66B3AAFBC8210B14C84EE85083300CBA2EC07CBA0
                                                      Function 06791A12 Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 401f9973a51f78f6fbcbe2185498191b3f9cade5c9a5f337b116734e60eae85b
                                                      • Instruction ID: f1a68ab927e3bf3cf51dc18662ab514493a5f02ef56707cdcc88e319955a0ed3
                                                      • Opcode Fuzzy Hash: 401f9973a51f78f6fbcbe2185498191b3f9cade5c9a5f337b116734e60eae85b
                                                      • Instruction Fuzzy Hash: 3DD012B310D2C05EC333CB20D8A1940BFB06D4310031984CE90E0C70A7DB15AD19CBD2
                                                      Function 0664E598 Relevance: .0, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7fbcb63472128d0a210ea9036b863d07e77fffc7870fc97c2ca3b239b1a2b54e
                                                      • Instruction ID: 39a73c9bbe3c0ed7792a8b53aabb37d2f4b2636dfcf14e288d4917beaa58d51d
                                                      • Opcode Fuzzy Hash: 7fbcb63472128d0a210ea9036b863d07e77fffc7870fc97c2ca3b239b1a2b54e
                                                      • Instruction Fuzzy Hash: 35C04C753415025BD354C618C851A26F7A6DFD8315F14C47D6449C7759DE36DC03D614
                                                      Function 0679937F Relevance: .0, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e79eee89d5cb5eea1e4e8b1cbfb863d44a76ee151ef4dbdd7443aa5046bc23f6
                                                      • Instruction ID: c2e607aa98b043b258fe0ea989e6f576118784302a14e5ef9fd5e5b32272c27b
                                                      • Opcode Fuzzy Hash: e79eee89d5cb5eea1e4e8b1cbfb863d44a76ee151ef4dbdd7443aa5046bc23f6
                                                      • Instruction Fuzzy Hash: 01C08C752083008B8240DE44E840C06F3A2FFC8200B14CC0EE85083301CB32DC07CB60
                                                      Function 06649EF8 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                      • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                                      • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                      • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                                      Function 0664AC58 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                      • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                                      • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                      • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                                      Function 05F8A220 Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                      • Instruction ID: 60a72056a403d9f31dd85fef4a7a76d12bb133d0d450fb6ef353260f5a4d9492
                                                      • Opcode Fuzzy Hash: 16581dba91a5fda841cf47983153eb36e4fc24851952f78b75638f70de6cde10
                                                      • Instruction Fuzzy Hash: 0BC09274300100AF8348CA18C895C26F7E6EFD8214B24C46DB84DC7365EF32EC03CA10
                                                      Function 0664EC50 Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                      • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                      Function 06792730 Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                      • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                      Function 0679A460 Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                      • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                      Function 0679CBB0 Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                      • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                      Function 0679A180 Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                      • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                      Function 05F8FFA0 Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction ID: 424522431131923360a2424e5b60fcaca403654da384226d21dcd1d1d325544f
                                                      • Opcode Fuzzy Hash: 848e7b2b3d1d7438aceb18ee9ce77d60f8a3148b9db338e3d364b5add5ce48b1
                                                      • Instruction Fuzzy Hash: B3A001746050109B8689DA58D991818B7A2ABC9219728C4ADA819CB25ACF33E9039A44
                                                      Function 01530940 Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 662fb90ddfe87118bf284fd1d2d7fd0311227a1ccf7d0bb4e53022f81cbfbfdd
                                                      • Instruction ID: a22780d158ccda064162976c4600b65ff9928b448498e254bb4e0a9975ba0d24
                                                      • Opcode Fuzzy Hash: 662fb90ddfe87118bf284fd1d2d7fd0311227a1ccf7d0bb4e53022f81cbfbfdd
                                                      • Instruction Fuzzy Hash: D190223000020CCF0C80238030080803B8C8200232F800000A00C000020A8028008280

                                                      Non-executed Functions

                                                      Function 06793C55 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: @
                                                      • API String ID: 0-2766056989
                                                      • Opcode ID: b2e20b6a9f92074c941c625bc79a1660e719f50db4203ffb2ed257dae7ef683c
                                                      • Instruction ID: b5d393df8d55b44e1c9775e578b35130d7b449c3e69a22cbdea8b936fd638a96
                                                      • Opcode Fuzzy Hash: b2e20b6a9f92074c941c625bc79a1660e719f50db4203ffb2ed257dae7ef683c
                                                      • Instruction Fuzzy Hash: 03912F753221008FD744EB29F5599AE73F3EB98318B41846DDC068B3D6DB78AC09DB90
                                                      Function 0664A048 Relevance: .7, Instructions: 675COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2c073139862f8ad2645de4f9029a531fffa666f62c98e7824c70dea48cd426a
                                                      • Instruction ID: 43ebf372d0ce9d2fd070e99ce233ba6f027939c9dbb1395a48c5aa265ecbe279
                                                      • Opcode Fuzzy Hash: f2c073139862f8ad2645de4f9029a531fffa666f62c98e7824c70dea48cd426a
                                                      • Instruction Fuzzy Hash: 91522934B012149FDB14EF68EC98AADB7B2FB99300F0185ADD40AAB365DB399D45DF40
                                                      Function 0664BF60 Relevance: .6, Instructions: 646COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 988bbee28b784dd4c5f12f8e50c6130d776df9bfe6480db034c9c59842a447f0
                                                      • Instruction ID: 39175b4cbbf5f13d8f94c6224fd699b2c588ec43f00b761f52d3ac36004cc39f
                                                      • Opcode Fuzzy Hash: 988bbee28b784dd4c5f12f8e50c6130d776df9bfe6480db034c9c59842a447f0
                                                      • Instruction Fuzzy Hash: 9C523834B012149FDB14FF68EC98AAEB7B2FB99200F0185ADD40AA7365DB399D45DF40
                                                      Function 0664A03E Relevance: .6, Instructions: 619COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4ca7b02c0811d5cc24be40116beee51b0820f0962931fe7e6765da34a9cc8280
                                                      • Instruction ID: 5e44bab32b77ed42a719008c40c8187676621bb0c22890e35c9be2567523bf6f
                                                      • Opcode Fuzzy Hash: 4ca7b02c0811d5cc24be40116beee51b0820f0962931fe7e6765da34a9cc8280
                                                      • Instruction Fuzzy Hash: 2B422934B012149FDB14EF68EC98AADB7B2FB99300F1185ADD40AA7365DB389D45DF40
                                                      Function 0664BF50 Relevance: .6, Instructions: 598COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a84802f747f7bc658e834038e54d4a29d35167a48636175eaab7043c1d72be0e
                                                      • Instruction ID: e965a2460fb8dbc025650f0ecdbee297ada65b59c34aaeaf2b5a4c44938097e5
                                                      • Opcode Fuzzy Hash: a84802f747f7bc658e834038e54d4a29d35167a48636175eaab7043c1d72be0e
                                                      • Instruction Fuzzy Hash: DA423834B012149FDB14FF68EC98AAEB7B2FB99200F0185ADD40AA7365DB399D45DF40
                                                      Function 05F82550 Relevance: .6, Instructions: 571COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bbc88d10bb8b6edf4e78a652c3efae7871609873c175b57f441521a54db325f8
                                                      • Instruction ID: a568f33ede995c57d125a772fe9146c2226a4794d70053700303425e7754193e
                                                      • Opcode Fuzzy Hash: bbc88d10bb8b6edf4e78a652c3efae7871609873c175b57f441521a54db325f8
                                                      • Instruction Fuzzy Hash: B4323E74B012058FDB24EFA9D894AAEB7B2FF98300F50856DD90697394DB38AC45CF91
                                                      Function 01533F65 Relevance: .5, Instructions: 543COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b23a5777a8cb1e30448e500cadb33a9c4f5571bb523c511523942ead8f0e1cd6
                                                      • Instruction ID: a6ec0df60af2319f7d64d649a03467d4d9ee2aec6be8c1aae79bce59d89412a0
                                                      • Opcode Fuzzy Hash: b23a5777a8cb1e30448e500cadb33a9c4f5571bb523c511523942ead8f0e1cd6
                                                      • Instruction Fuzzy Hash: 3D1292B19443559FCB45CF64C8C49EABBBAFF84324718C1A9EC449F206D339A94ADB70
                                                      Function 01533FDA Relevance: .5, Instructions: 527COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d87cd67677274208e9656699321ae917b4e75ecd265deef2a639d21aac583e09
                                                      • Instruction ID: 98c83ea0084affbe5418728c183d0e55ab02c1f7288ba259be512bdf2c91ed9d
                                                      • Opcode Fuzzy Hash: d87cd67677274208e9656699321ae917b4e75ecd265deef2a639d21aac583e09
                                                      • Instruction Fuzzy Hash: CB12A3B19443559FCB45CF65C8C49EABBBAFF84324708C169EC449F206D339A94ADB70
                                                      Function 0664DCA8 Relevance: .4, Instructions: 421COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 68a9537bc216754eecbeee4e8e51e8bddddf835048c7be8287eeed05e273fc90
                                                      • Instruction ID: 95ddd0f572e51b536994dcab5afe18f4b3090801fb6e4f888c95dbea769afefc
                                                      • Opcode Fuzzy Hash: 68a9537bc216754eecbeee4e8e51e8bddddf835048c7be8287eeed05e273fc90
                                                      • Instruction Fuzzy Hash: 5B028B74B016168FDB58DFA8C494B6EFBB1FB89300F10852DD9669B395CB38A851CBC1
                                                      Function 06648590 Relevance: .4, Instructions: 401COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 85f692b39b0ca25ba9d08f67c946725eaf871fd41c2c22589969ca7471988c9a
                                                      • Instruction ID: e75c226ef4be5a2f71ffce8630b77fbfa6de1d5e940bfbb5fb47cf50a7644a2b
                                                      • Opcode Fuzzy Hash: 85f692b39b0ca25ba9d08f67c946725eaf871fd41c2c22589969ca7471988c9a
                                                      • Instruction Fuzzy Hash: E5F1DE34B11214AFDB45EFA8EC98EAEB7B3FF98700F118559E805A7364DA396C01DB41
                                                      Function 06648542 Relevance: .4, Instructions: 363COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 457135711396c400712539000fc1ec800e59b83dd7dc74c728432fd6f8ce6d98
                                                      • Instruction ID: a279af50beeca42a0ffa6b88a8473def5d7ea84871d43e3d7d14ebf32b844579
                                                      • Opcode Fuzzy Hash: 457135711396c400712539000fc1ec800e59b83dd7dc74c728432fd6f8ce6d98
                                                      • Instruction Fuzzy Hash: E5E13234B112159FDB05EBA8EC98EAEBBB2FF99300F15855DE801A7395DB389C01CB41
                                                      Function 05F83730 Relevance: .3, Instructions: 315COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175551950020.0000000005F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F80000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5f80000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 061ddf9a5dca30c4667a14fa21499953e62e9cdb27ad7de57a11be85666ebaf6
                                                      • Instruction ID: 57e8e180abf264425b7a61fb594bfb6c873f86c5bd370c767bb3cfbea3467a52
                                                      • Opcode Fuzzy Hash: 061ddf9a5dca30c4667a14fa21499953e62e9cdb27ad7de57a11be85666ebaf6
                                                      • Instruction Fuzzy Hash: EBC1C5757001099FCB04EF29D894AAE77A3FF88710F158929E8069B395DB78ED46CBC1
                                                      Function 0679603C Relevance: .3, Instructions: 295COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c6fbfff5ba2eb09db7eaf475a273d83682da326665e7a55f30a1ce8cfb1300ca
                                                      • Instruction ID: 855f4081e7f636a710d77eb0e2571f19d30ca3e272434148aa2e0c9ede564580
                                                      • Opcode Fuzzy Hash: c6fbfff5ba2eb09db7eaf475a273d83682da326665e7a55f30a1ce8cfb1300ca
                                                      • Instruction Fuzzy Hash: 1DC13C74B011158FCB54EF28E999B6E77E2EB9C300F1084A9D80ADB385DE789D46CF90
                                                      Function 06796033 Relevance: .3, Instructions: 295COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e66dae01d8b482d54d44c4a8e3dc1d3ee110904b53f98eb2fb9ce35f59fc07c1
                                                      • Instruction ID: 29b29def1c58714ef81a968a936aabafd1cbbdf6409fb3af0823b368ed2ccddd
                                                      • Opcode Fuzzy Hash: e66dae01d8b482d54d44c4a8e3dc1d3ee110904b53f98eb2fb9ce35f59fc07c1
                                                      • Instruction Fuzzy Hash: BDC13C74B111158FCB54EF28E999B6E77E2EB98300F1084A9D80ADB385DE789D46CF90
                                                      Function 06643488 Relevance: .3, Instructions: 274COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552183747.0000000006640000.00000040.00000800.00020000.00000000.sdmp, Offset: 06640000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6640000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2bd0a4fe9a153438fa9d34b15e832016efb3901ede510ee786a7ebc2b377c9c2
                                                      • Instruction ID: 2229d59aa6a285a70f2f6381dba524af4260eeba9f32b0b28e9ab2bc9bcaf27d
                                                      • Opcode Fuzzy Hash: 2bd0a4fe9a153438fa9d34b15e832016efb3901ede510ee786a7ebc2b377c9c2
                                                      • Instruction Fuzzy Hash: 93A150347122049FDB44FB29EC98A7E73A3EF98210F11842DD8069B395CB78AD16DB81
                                                      Function 015342F8 Relevance: .3, Instructions: 272COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4eea5a1d4c540999242fb1f5c2e3dd0a000eacec97f49db07a59e0c76e81213a
                                                      • Instruction ID: 1e4e52a25eb65960669c740355ccac9fccd04ef13440073738fda466ab971c0f
                                                      • Opcode Fuzzy Hash: 4eea5a1d4c540999242fb1f5c2e3dd0a000eacec97f49db07a59e0c76e81213a
                                                      • Instruction Fuzzy Hash: 2CB16D71E0052A8BDF15CFA9C9806AEFBF1FB88304F188669D455EB602D734ED42CB90
                                                      Function 0679611D Relevance: .2, Instructions: 245COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175552480160.0000000006790000.00000040.00000800.00020000.00000000.sdmp, Offset: 06790000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_6790000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7ebb8fa07f8e4d57febece799bee53fddf54ce78d5a2109af471334324a4c55a
                                                      • Instruction ID: 1f3273c626c95c277284033e504f345c6e0d34047e39b894d6d9fad9cf66c731
                                                      • Opcode Fuzzy Hash: 7ebb8fa07f8e4d57febece799bee53fddf54ce78d5a2109af471334324a4c55a
                                                      • Instruction Fuzzy Hash: C0B13C74B011158FCB54EF28E999B6E77F2EB98300F1084A9D80ADB385DE789D46CF90
                                                      Function 015315A8 Relevance: .2, Instructions: 155COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5ee6a40d312cb7d1b05f5b3674dba2ed5957887e6adfcbf179cbfb3acdc1af22
                                                      • Instruction ID: 2ab60412ab7e43633dbdc5e8b22374e1b42dbbb2dca408a03835970d4b24a194
                                                      • Opcode Fuzzy Hash: 5ee6a40d312cb7d1b05f5b3674dba2ed5957887e6adfcbf179cbfb3acdc1af22
                                                      • Instruction Fuzzy Hash: BB61F8B5F006058FE749DF6BE85469ABBE3FFC8240F18C46AC5049B269EB395806CF51
                                                      Function 015315B8 Relevance: .1, Instructions: 149COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.175544905721.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_1530000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1c7481d48005880da4c22e0937af7e8a16b6711a65e4d3fc2bed600a5e7039d4
                                                      • Instruction ID: 76a86b3bd1923c6b450002ce1db8fb157f1802b6a4085667b5a74d11989dac32
                                                      • Opcode Fuzzy Hash: 1c7481d48005880da4c22e0937af7e8a16b6711a65e4d3fc2bed600a5e7039d4
                                                      • Instruction Fuzzy Hash: B651F5B5F006058FE749DFBBE85469ABBE3FBC8240F18C42AC5049B269EB395805CB51

                                                      Executed Functions

                                                      Function 07C51820 Relevance: .6, Instructions: 570COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173120406502.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7c50000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2a06a2fd4d1223b3c3904e3e4c6551ff354f8398a1fe3fd4c9a4e0cc4377155d
                                                      • Instruction ID: 935ad45d894c03825ed3027756b8a5fc14b70b21d190828f6f20e7285e42f63e
                                                      • Opcode Fuzzy Hash: 2a06a2fd4d1223b3c3904e3e4c6551ff354f8398a1fe3fd4c9a4e0cc4377155d
                                                      • Instruction Fuzzy Hash: 4E128BB1B0430A8FDB25DBA98444BBA7BA29FC2255F18807BDD05DF241EA33CD81C795
                                                      Function 04DA3C00 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173113449318.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_4da0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 084b167bf9bee19a71f22af6a5430bdee854c4cc5dab3fb5ab67e2f99878c8ba
                                                      • Instruction ID: ee91f77e610b9a8f84cddb3f60cdb500e8ef1ae5953e39c8f86044595ca4811c
                                                      • Opcode Fuzzy Hash: 084b167bf9bee19a71f22af6a5430bdee854c4cc5dab3fb5ab67e2f99878c8ba
                                                      • Instruction Fuzzy Hash: F6D11534A01249DFDB05CFA8D480A9DFBF2BF88310F25819AE845AB351C771ED96CB90
                                                      Function 04DA29F0 Relevance: .2, Instructions: 225COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173113449318.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_4da0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0772632cd8044855cca2d758250046d92e28c8b8c3f8ebd645aab6b4571fe38a
                                                      • Instruction ID: fbc13aedf1c1eab4c81669085e9f4792c6c0d799675066d5d4369e351b3db0ab
                                                      • Opcode Fuzzy Hash: 0772632cd8044855cca2d758250046d92e28c8b8c3f8ebd645aab6b4571fe38a
                                                      • Instruction Fuzzy Hash: C091A034A04649CFCB15CF59C4949AAFBF1FF89310B248699D816AB365C735FC61CBA0
                                                      Function 07C51804 Relevance: .1, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173120406502.0000000007C50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C50000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_7c50000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 141e4bb3b6a134364024c7dd1be5962b07f4eb2bebbe43b0771c362489f4fc2a
                                                      • Instruction ID: 4ecc04eaebc2d70b43184864f3293893da5cd0ec9c840436df9c634cc34a634e
                                                      • Opcode Fuzzy Hash: 141e4bb3b6a134364024c7dd1be5962b07f4eb2bebbe43b0771c362489f4fc2a
                                                      • Instruction Fuzzy Hash: E6412BB0A04309DFDB248F99C489BB977B3AF81209F5D8166DC04AB251D733DE81C795
                                                      Function 034AD006 Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173112986932.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_34ad000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7801b80006225b549995deb04541a34bff2ffe8ba3562e3da838eda077a5099a
                                                      • Instruction ID: 3363ee44d0f7f633e5a3cb43e23d436f0519d856378e8a593a30826d6fa76401
                                                      • Opcode Fuzzy Hash: 7801b80006225b549995deb04541a34bff2ffe8ba3562e3da838eda077a5099a
                                                      • Instruction Fuzzy Hash: D501407240E7C09FD7128B258894B56BFB4DF53224F1D81DBD8888F693C2695848DB72
                                                      Function 034AD01D Relevance: .0, Instructions: 45COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173112986932.00000000034AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 034AD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_34ad000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3e20aaff77f982376586fbed7225b64afa787bab91fdf53b492873afe9feeec7
                                                      • Instruction ID: 73c55ccf40f06d8faee13fb2c1800e957b6f3ecb239e782ded956c6733dc6672
                                                      • Opcode Fuzzy Hash: 3e20aaff77f982376586fbed7225b64afa787bab91fdf53b492873afe9feeec7
                                                      • Instruction Fuzzy Hash: 4401F771908B409FE7108B2ACC84767FB98DF52628F1C806BEC581F642C2B99445DAB5

                                                      Non-executed Functions

                                                      Function 04DA1D7A Relevance: 13.9, Strings: 11, Instructions: 123COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173113449318.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_4da0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: k$k$k$k$k$k$k$k$k$k$k
                                                      • API String ID: 0-760646583
                                                      • Opcode ID: 51977d113c70d9aafa1f2f2479cf39667a3d1e8091089df341ace73b448f7972
                                                      • Instruction ID: 4b274d9301f7aab7537d31a2d5edb4194940c0268968d772fc771e193785a5d0
                                                      • Opcode Fuzzy Hash: 51977d113c70d9aafa1f2f2479cf39667a3d1e8091089df341ace73b448f7972
                                                      • Instruction Fuzzy Hash: B331B283C0E7D10FE313A67869A12D27F659F23154F0A01E7C9E1CB1A3F9054A1B83A2
                                                      Function 04DA1D01 Relevance: 8.8, Strings: 7, Instructions: 69COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173113449318.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_4da0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: k$k$k$k$k$k$k
                                                      • API String ID: 0-3489947206
                                                      • Opcode ID: dd49f95a0d5399a81319d5b674029f24647010351be3b4acea1893e7ba5f4144
                                                      • Instruction ID: 990dec0a0af81cc105303ec3cfc49cd3811a9dfc91ace45127e0f0a986022f23
                                                      • Opcode Fuzzy Hash: dd49f95a0d5399a81319d5b674029f24647010351be3b4acea1893e7ba5f4144
                                                      • Instruction Fuzzy Hash: 8011DBD680E7D40FE313A66C6D952D6BF619F23058F0612E3CAD1CB1B3B9444A1B43A3
                                                      Function 04DA1ACD Relevance: 6.5, Strings: 5, Instructions: 276COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173113449318.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_4da0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: k$k$k$k$k
                                                      • API String ID: 0-4265032646
                                                      • Opcode ID: 7e70d8af73461d27630970cdc5647153260c011dc9ad29976773f75399fb6417
                                                      • Instruction ID: 3989229ca794829b3aa1bc48bf34a3727d14a829f93cc4c78bca7ab47d738c2b
                                                      • Opcode Fuzzy Hash: 7e70d8af73461d27630970cdc5647153260c011dc9ad29976773f75399fb6417
                                                      • Instruction Fuzzy Hash: AC31CC8294F7D04FE7039B6869B02E5BF62AE23124F0A11D7C8D1CF1A3F1045E6A8366
                                                      Function 04DA1AED Relevance: 6.5, Strings: 5, Instructions: 254COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173113449318.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_4da0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: k$k$k$k$k
                                                      • API String ID: 0-4265032646
                                                      • Opcode ID: 35a47935e4793aa6f3d25a5db48e0b439124e89dffe9a9a2d12344206df71aa7
                                                      • Instruction ID: a7aeec3f0b9cd931f29f6a436b73dbe7737edc7d411029ae5de4e69030c00af2
                                                      • Opcode Fuzzy Hash: 35a47935e4793aa6f3d25a5db48e0b439124e89dffe9a9a2d12344206df71aa7
                                                      • Instruction Fuzzy Hash: 7B219D8294F7D14FE7039B3969B02D57F62AE23164B0A11D7C8D1CF1A3E5481A6A836A
                                                      Function 04DA1AFD Relevance: 6.5, Strings: 5, Instructions: 247COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000002.00000002.173113449318.0000000004DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_2_2_4da0000_powershell.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: k$k$k$k$k
                                                      • API String ID: 0-4265032646
                                                      • Opcode ID: 630398eb4fdc44affcaae02cbe83181435666fcaaba3dc587eb1f3d80922747c
                                                      • Instruction ID: e669076ff49f9f2e7c4e0fce22580fa21f76a4dc8a2a148919662880c6294dbb
                                                      • Opcode Fuzzy Hash: 630398eb4fdc44affcaae02cbe83181435666fcaaba3dc587eb1f3d80922747c
                                                      • Instruction Fuzzy Hash: DF218E8284F7D15FE7039B7969B02D57F62AE63164B0A11D3C8D1CF1A3E5180E5A836B

                                                      Executed Functions

                                                      Function 023E1830 Relevance: .3, Instructions: 253COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ceec4917fe1ebdfaeafdf62ec92c546cb86084815563f910102db1697a167c5d
                                                      • Instruction ID: 286ce34976e1a4b1e9ebb0cb6c7d78086fd2239da1f8977769bef53143a06298
                                                      • Opcode Fuzzy Hash: ceec4917fe1ebdfaeafdf62ec92c546cb86084815563f910102db1697a167c5d
                                                      • Instruction Fuzzy Hash: E9A1BE74A006108FCB15DF6DD444BA9BBF2FF89314F1581A9E446AB3A5DB31EC0ADB90
                                                      Function 023E1281 Relevance: .2, Instructions: 183COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 59660ed8ff7977ad0d12262b65f98b94124eea5ca7df22cf903297cc24aabcf2
                                                      • Instruction ID: 3d994e6ce1a8eaefde68411252f5c43e7987b9e4fbada3b1cb5b1b1f9a19b25b
                                                      • Opcode Fuzzy Hash: 59660ed8ff7977ad0d12262b65f98b94124eea5ca7df22cf903297cc24aabcf2
                                                      • Instruction Fuzzy Hash: B5612B74B001148FDB44DFA8D898BADBBF2BF88700F2540A9E44AEB3A1CE719D45CB50
                                                      Function 023E1290 Relevance: .2, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d3431c8fa3ead019b7c2a2ec51986ee7802aaee3f0d2a8b9046d26d00426d409
                                                      • Instruction ID: 37f9b57a2453852b1c4aa4b10584a10d8837367963caba856b632b6c6997e4ba
                                                      • Opcode Fuzzy Hash: d3431c8fa3ead019b7c2a2ec51986ee7802aaee3f0d2a8b9046d26d00426d409
                                                      • Instruction Fuzzy Hash: 02510A74B001148FCB44EFA9D498BADBBF6BF88700F2544A9E506EB3A1CEB19D45CB50
                                                      Function 023E1138 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0e3f428619719c286b2dccd749253018ae19e701960c0f7f4cc9c3516bfb32f6
                                                      • Instruction ID: 35284945c600287e198ba900b462adcd18285542bd284e778f0224a879f20465
                                                      • Opcode Fuzzy Hash: 0e3f428619719c286b2dccd749253018ae19e701960c0f7f4cc9c3516bfb32f6
                                                      • Instruction Fuzzy Hash: 58218B34B00218CFDB18EB69D859B6E7BF5AB88311F104469E40BDB3A0DF719D09DBA0
                                                      Function 023E1127 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2dd92eee0464184df7c3f1ea686fd6615749bf570e5c07eb3b9d1a2c7bb52e18
                                                      • Instruction ID: 677145f6bf49bf8e6f9627ac4bb4bbda6c0b30b1f3509d55062e4f61767cec82
                                                      • Opcode Fuzzy Hash: 2dd92eee0464184df7c3f1ea686fd6615749bf570e5c07eb3b9d1a2c7bb52e18
                                                      • Instruction Fuzzy Hash: 8A21A9347006048FCB18EB69D858B6A7BE6AB88710B1044A9E44ADB3A4DF719D09DB61
                                                      Function 023E08F0 Relevance: .0, Instructions: 37COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 99b9e513aac0b76e3a036e2f20d3bf93ab2985b54bb4bc0ed27c14e9e5aee094
                                                      • Instruction ID: 16695d17a8404ec1997a47bd6c14b2c3210e985636eaeb9eb4311441366f6415
                                                      • Opcode Fuzzy Hash: 99b9e513aac0b76e3a036e2f20d3bf93ab2985b54bb4bc0ed27c14e9e5aee094
                                                      • Instruction Fuzzy Hash: 5AF0399290E3D44FE713477468711C17F71AE27525B0E46CFC0D5CB0E3D2490809CB62
                                                      Function 023E0898 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9699c595c16bff0be3d14cadda68ca517588ec0478aaccbce006da792de33623
                                                      • Instruction ID: 29aafbbfc43176aca49551367acf6bd4c2e68a31f13300552ab6e7ee12095906
                                                      • Opcode Fuzzy Hash: 9699c595c16bff0be3d14cadda68ca517588ec0478aaccbce006da792de33623
                                                      • Instruction Fuzzy Hash: CCF0E575509308EFEB01DFA0DC2179C7BF9EA05300B1000DAD45AE7292DA715E08DBA1
                                                      Function 023E0861 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fc4d558127f8d800392dc5c5b87395a4e2a84b6e43eb9a7bcb12a2b6e8dfd2ca
                                                      • Instruction ID: 012a0da4c20b952ad6a6d27ce5a845a343af48aa7a7c32945dbc420dd8eeb7b8
                                                      • Opcode Fuzzy Hash: fc4d558127f8d800392dc5c5b87395a4e2a84b6e43eb9a7bcb12a2b6e8dfd2ca
                                                      • Instruction Fuzzy Hash: B2E0428690EBD05FD7170A345C242856FB2A81760478E04CBC6D1CB2A3D10A1909C366
                                                      Function 023E124F Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d8c48d6f3c75c63efa33c793c5ff1bfdce774561ce4eef8207b48cf6cfc0406b
                                                      • Instruction ID: 2d1689d762fffef5f0c5dda93b304b06ff44d9d111313c5dadb6d9780a00083e
                                                      • Opcode Fuzzy Hash: d8c48d6f3c75c63efa33c793c5ff1bfdce774561ce4eef8207b48cf6cfc0406b
                                                      • Instruction Fuzzy Hash: 65E01777B996908FC716AB789C295893FB4DE5725034500E7E486CB2B2DA288C02C796
                                                      Function 023E08A8 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 967d0d7f1f35bd5a73dfc208f768983a232e222b72d31c276004f5779103ab7e
                                                      • Instruction ID: 9e1842e127bc299aeb06fb6f2763aa101beb717ad627e726175843ada1c7718e
                                                      • Opcode Fuzzy Hash: 967d0d7f1f35bd5a73dfc208f768983a232e222b72d31c276004f5779103ab7e
                                                      • Instruction Fuzzy Hash: 16E04F74909709EFDB04DBE4D921A5CB7F9EB04301B400099D81BA3691DA715E14EBD1
                                                      Function 023E0C66 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e0ae46c8b9b52178d90878b1db0da731cde25049090fa68f81134506d793ad83
                                                      • Instruction ID: 82a5255465d42e3e7726900b5ab2562199626110824af526eb6c57f942ec81e0
                                                      • Opcode Fuzzy Hash: e0ae46c8b9b52178d90878b1db0da731cde25049090fa68f81134506d793ad83
                                                      • Instruction Fuzzy Hash: EEE0D830508521CECA149F14A414B6736BCBB15315F4601B9D4E777AD2D3B49C0AD782
                                                      Function 023E1BDC Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a4d6bb2098f0d285c6100ee2588dd30f9df09d1aa37c13e63e465836caf2ed41
                                                      • Instruction ID: be82d4d9ea331e33aa8fa09133acac08bd1480d2ec6cdc6c3406aa9adea3d6ae
                                                      • Opcode Fuzzy Hash: a4d6bb2098f0d285c6100ee2588dd30f9df09d1aa37c13e63e465836caf2ed41
                                                      • Instruction Fuzzy Hash: 73D0A934E04154EBCF012B94F800ABD77B2EB48301F1488A9F842A33D0CA3A4DAC8B01
                                                      Function 023E0940 Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000004.00000002.173375155955.00000000023E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_4_2_23e0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc4749a85b46e01f2f0e11c4a43e2cf084dbfe41fee3af09db0e4fe404e84c89
                                                      • Instruction ID: 345a25e097071e14050705e9c035de61d375f5b2ada30566316786e314473d4c
                                                      • Opcode Fuzzy Hash: bc4749a85b46e01f2f0e11c4a43e2cf084dbfe41fee3af09db0e4fe404e84c89
                                                      • Instruction Fuzzy Hash: 3F90023544460CDB49402795784A5957B5C95446267840051E50D825515E9969508595

                                                      Executed Functions

                                                      Function 02AF1830 Relevance: .3, Instructions: 252COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9c37b093a4b5dce1f07c6e9bea3d2eb23e40741726f96324b2553ba73ebd7ac3
                                                      • Instruction ID: 623a666f1d41974e3fb783c3d277f68ad3fc6dd19cc52ccda499789ed699cbe0
                                                      • Opcode Fuzzy Hash: 9c37b093a4b5dce1f07c6e9bea3d2eb23e40741726f96324b2553ba73ebd7ac3
                                                      • Instruction Fuzzy Hash: 1BA19A74A00200DFC719EFA9D594A59BBF2FF88310F1581A9E515EB3A5EB35EC01CB91
                                                      Function 02AF1281 Relevance: .2, Instructions: 162COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 89b759015213e6c6a6df61434b0142bb1137704e42c78f395001d75a92f88de9
                                                      • Instruction ID: 1ccf371d7bd498cb33999a74ef59fe6a0bf95da63a7a2393eb7e2b95a5c0e1e5
                                                      • Opcode Fuzzy Hash: 89b759015213e6c6a6df61434b0142bb1137704e42c78f395001d75a92f88de9
                                                      • Instruction Fuzzy Hash: 23515974B001148FCB84DFA8C598AADBBF2BF89700F6544A9E50ADB365CF749C41CB50
                                                      Function 02AF1290 Relevance: .2, Instructions: 150COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4b6bbce2291f97206e3b698fdb63ae316b800df083b490071a72c0b48359368b
                                                      • Instruction ID: a39332d0a536bcee3967de7b14b994dee563dd2277ee9d3b04fde89539741f69
                                                      • Opcode Fuzzy Hash: 4b6bbce2291f97206e3b698fdb63ae316b800df083b490071a72c0b48359368b
                                                      • Instruction Fuzzy Hash: C4510874B001148FCB44EFA9C598BAEBBF2BF88700F6544A9E506EB3A5CE749C41CB54
                                                      Function 02AF1138 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0e1b3597aaab99771c7ea27cc2fe458d2b61fd78139be32d8918403f968b00f6
                                                      • Instruction ID: d88148240bc8d676abeb5e140e1750393bdee2caeda351c0e1a24933cb42a7bf
                                                      • Opcode Fuzzy Hash: 0e1b3597aaab99771c7ea27cc2fe458d2b61fd78139be32d8918403f968b00f6
                                                      • Instruction Fuzzy Hash: 83216B34B00204CFDB68EBA6D898B6ABBF5AF88340F104468F50ADB354DF759D05CBA1
                                                      Function 02AF1127 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a6f3ac1bc2c2e90241add743c2514030451508fdf81ec005a08bdcf75f467d4c
                                                      • Instruction ID: 72ccc6ec0951e50c2e5273ee8c4fc3e8aedb7b7e03eb8cd1b6a4cc49d8f6a8d1
                                                      • Opcode Fuzzy Hash: a6f3ac1bc2c2e90241add743c2514030451508fdf81ec005a08bdcf75f467d4c
                                                      • Instruction Fuzzy Hash: 2D216A357002008FC798EBB9D898A6ABBF5AF88740B5404ACF506DB354DF759D01CB61
                                                      Function 02AF0898 Relevance: .0, Instructions: 30COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ee2a46cbf7d97e7cfb7ad023fc55cc776afca5f822fa10adafeda0945cc408c3
                                                      • Instruction ID: 5e26a99be2238b5cef2474a334041b00522f6a9b39c6651bad3fbc265c09a540
                                                      • Opcode Fuzzy Hash: ee2a46cbf7d97e7cfb7ad023fc55cc776afca5f822fa10adafeda0945cc408c3
                                                      • Instruction Fuzzy Hash: 15F08C70509388EFDB86DBF09A205A87FB5EA0620475404E9E496DB156DA321E09D7A2
                                                      Function 02AF0861 Relevance: .0, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bc8db824b7d1434f3362dbd5954977a69c2c61b33ac43d0b257180893e61040a
                                                      • Instruction ID: 3519c13b37045702864c5e0d4a22cdd797ddff661e10abccf896c031ecbbf609
                                                      • Opcode Fuzzy Hash: bc8db824b7d1434f3362dbd5954977a69c2c61b33ac43d0b257180893e61040a
                                                      • Instruction Fuzzy Hash: 39E0420614E7C11EC7974BB80C340A27FB19D479087AE59CBC0C0CE5A3C55B665ED396
                                                      Function 02AF124F Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9f0bf2ec8783824a5ef053692b9a565292f5fe698f6636026918b00c7ff6e798
                                                      • Instruction ID: f4ce544b55d13615203aa8f20ac90e15dadfebb1163a94ad9ae02e508fc9ec43
                                                      • Opcode Fuzzy Hash: 9f0bf2ec8783824a5ef053692b9a565292f5fe698f6636026918b00c7ff6e798
                                                      • Instruction Fuzzy Hash: 3FE0C232B403008FC3456F7CD4084843BF6EF0626038104B6E445CB632D6385C038B91
                                                      Function 02AF08A8 Relevance: .0, Instructions: 20COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3fd96e844573155cc4082be0da9273eac6783a59fe0b20a899c2f1b16c7e2205
                                                      • Instruction ID: c074ac3c1aa0f354a96288ff1441fd3de9aadeff0e16f34516397de83c0f11ce
                                                      • Opcode Fuzzy Hash: 3fd96e844573155cc4082be0da9273eac6783a59fe0b20a899c2f1b16c7e2205
                                                      • Instruction Fuzzy Hash: 77E04F74949309EFD784EBE0D61166CBBB6FB04200B804068E51693204EA311E00D7D1
                                                      Function 02AF0C66 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f9213ee07b748c735e0422d0e52a16fdcd6230a665e021b52d8040da2e459ead
                                                      • Instruction ID: e3c81137a0439be326b07832e0452f339a728dec3359035f3c2e361722734e30
                                                      • Opcode Fuzzy Hash: f9213ee07b748c735e0422d0e52a16fdcd6230a665e021b52d8040da2e459ead
                                                      • Instruction Fuzzy Hash: E3E02630508200CEC3509B94D404BA37BB8FB05316F8602B9EBFA6764BFB389C02CB42
                                                      Function 02AF1BDC Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5c7edc5291aafdb4706f2df0f50eb09cd1b39f74b4e1bc0d5a47f744deeb0cfe
                                                      • Instruction ID: 5d293e8286ce8168b76b15bc340977920b0af6a0ddbaa20bd84731309c825526
                                                      • Opcode Fuzzy Hash: 5c7edc5291aafdb4706f2df0f50eb09cd1b39f74b4e1bc0d5a47f744deeb0cfe
                                                      • Instruction Fuzzy Hash: 82D0A739E00140EBCF042BD5E9004BC3632FB49301F148864F61162240CB364D95C700
                                                      Function 02AF0932 Relevance: .0, Instructions: 12COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 057e46edf3df199c13329a2efe8ae2adee615655b00e0834653731a01c7f90ee
                                                      • Instruction ID: 4cc1f4596471af6ef6dea351ac2c813cc6150bf8b76714e2167bbc2cff6d023e
                                                      • Opcode Fuzzy Hash: 057e46edf3df199c13329a2efe8ae2adee615655b00e0834653731a01c7f90ee
                                                      • Instruction Fuzzy Hash: 28D0123268E3C49FCB87073014280E43F309F83728B294ADFE0C4CA4A3C2930816C712
                                                      Function 02AF0940 Relevance: .0, Instructions: 5COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000005.00000002.173455308002.0000000002AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_5_2_2af0000_G6hxXf90i5.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b84b9b09c0406ecc1350716b861bf23623a05b73f3f850a20e33b0356cec3d92
                                                      • Instruction ID: b8536c3316deaf412963f8f9bfe0ade41eab43eccda86895f4a5290dd414e36a
                                                      • Opcode Fuzzy Hash: b84b9b09c0406ecc1350716b861bf23623a05b73f3f850a20e33b0356cec3d92
                                                      • Instruction Fuzzy Hash: F490023514460C8B4954279574095957F5C95446367C50061A51D419055A556990C695