Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
lFlw40OH6u.exe

Overview

General Information

Sample name:lFlw40OH6u.exe
renamed because original name is a hash value
Original sample name:f148f64274a9eee3839fe520a305a813369a808c803c047cdcb06f78777c445e.exe
Analysis ID:1587592
MD5:f809585404b9272d36608b5892c98673
SHA1:3eec646d8bc67e230fcaddb53354286585b87d13
SHA256:f148f64274a9eee3839fe520a305a813369a808c803c047cdcb06f78777c445e
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • lFlw40OH6u.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\lFlw40OH6u.exe" MD5: F809585404B9272D36608B5892C98673)
    • powershell.exe (PID: 6672 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 1412 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • lFlw40OH6u.exe (PID: 2704 cmdline: "C:\Users\user\Desktop\lFlw40OH6u.exe" MD5: F809585404B9272D36608B5892C98673)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "roocckkbtwo@apexrnun.com", "Password": "TsHZsTv}Jnj5E5Bn"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.3293046291.000000000281F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000004.00000002.3293046291.00000000027F2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000004.00000002.3293046291.00000000027F2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.lFlw40OH6u.exe.433c010.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.lFlw40OH6u.exe.433c010.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.lFlw40OH6u.exe.433c010.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x32361:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x323d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3245d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x324ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x32559:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x325cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x32661:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x326f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                4.2.lFlw40OH6u.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  4.2.lFlw40OH6u.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lFlw40OH6u.exe", ParentImage: C:\Users\user\Desktop\lFlw40OH6u.exe, ParentProcessId: 6976, ParentProcessName: lFlw40OH6u.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe", ProcessId: 6672, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lFlw40OH6u.exe", ParentImage: C:\Users\user\Desktop\lFlw40OH6u.exe, ParentProcessId: 6976, ParentProcessName: lFlw40OH6u.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe", ProcessId: 6672, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lFlw40OH6u.exe", ParentImage: C:\Users\user\Desktop\lFlw40OH6u.exe, ParentProcessId: 6976, ParentProcessName: lFlw40OH6u.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe", ProcessId: 6672, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: lFlw40OH6u.exeAvira: detected
                    Found malware configuration
                    Source: 0.2.lFlw40OH6u.exe.433c010.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "roocckkbtwo@apexrnun.com", "Password": "TsHZsTv}Jnj5E5Bn"}
                    Multi AV Scanner detection for submitted file
                    Source: lFlw40OH6u.exeReversingLabs: Detection: 86%
                    Source: lFlw40OH6u.exeVirustotal: Detection: 76%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: lFlw40OH6u.exeJoe Sandbox ML: detected
                    Source: lFlw40OH6u.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: lFlw40OH6u.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: dVrB.pdbSHA256 source: lFlw40OH6u.exe
                    Source: Binary string: dVrB.pdb source: lFlw40OH6u.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.lFlw40OH6u.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.433c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.43009f0.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: mail.apexrnun.com
                    Source: lFlw40OH6u.exe, 00000004.00000002.3293046291.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: lFlw40OH6u.exe, 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, lFlw40OH6u.exe, 00000004.00000002.3293046291.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, lFlw40OH6u.exe, 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: lFlw40OH6u.exe, 00000000.00000002.2067295283.0000000003320000.00000004.00000800.00020000.00000000.sdmp, lFlw40OH6u.exe, 00000004.00000002.3293046291.00000000027C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: lFlw40OH6u.exe, 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, lFlw40OH6u.exe, 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.lFlw40OH6u.exe.433c010.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.lFlw40OH6u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.lFlw40OH6u.exe.43009f0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.lFlw40OH6u.exe.433c010.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.lFlw40OH6u.exe.43009f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_0777D3D40_2_0777D3D4
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_07773A500_2_07773A50
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_077712480_2_07771248
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_07773A1F0_2_07773A1F
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_077BF0500_2_077BF050
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_077BF0400_2_077BF040
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_077BDD080_2_077BDD08
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_077BEC180_2_077BEC18
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_077BEC080_2_077BEC08
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CE4AC04_2_00CE4AC0
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CEEDA04_2_00CEEDA0
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CEAD204_2_00CEAD20
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CE3EA84_2_00CE3EA8
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CE41F04_2_00CE41F0
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_0646C2204_2_0646C220
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_0646A9D44_2_0646A9D4
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_064865F84_2_064865F8
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_0648B2A74_2_0648B2A7
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_064851C04_2_064851C0
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_0648C1884_2_0648C188
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_06487D884_2_06487D88
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_06482B104_2_06482B10
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_064876A84_2_064876A8
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_0648E3A84_2_0648E3A8
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_064800404_2_06480040
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_064858F84_2_064858F8
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_064800384_2_06480038
                    Source: lFlw40OH6u.exe, 00000000.00000002.2061089799.000000000149E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs lFlw40OH6u.exe
                    Source: lFlw40OH6u.exe, 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2551fb91-c18e-4cfc-9a10-be38a5933551.exe4 vs lFlw40OH6u.exe
                    Source: lFlw40OH6u.exe, 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs lFlw40OH6u.exe
                    Source: lFlw40OH6u.exe, 00000000.00000002.2067295283.0000000003320000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2551fb91-c18e-4cfc-9a10-be38a5933551.exe4 vs lFlw40OH6u.exe
                    Source: lFlw40OH6u.exe, 00000000.00000002.2075405540.00000000092D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs lFlw40OH6u.exe
                    Source: lFlw40OH6u.exe, 00000000.00000000.2039135990.0000000001040000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamedVrB.exeL vs lFlw40OH6u.exe
                    Source: lFlw40OH6u.exe, 00000004.00000002.3290919476.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename2551fb91-c18e-4cfc-9a10-be38a5933551.exe4 vs lFlw40OH6u.exe
                    Source: lFlw40OH6u.exe, 00000004.00000002.3291272686.0000000000A28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dll vs lFlw40OH6u.exe
                    Source: lFlw40OH6u.exe, 00000004.00000002.3291178716.0000000000979000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs lFlw40OH6u.exe
                    Source: lFlw40OH6u.exeBinary or memory string: OriginalFilenamedVrB.exeL vs lFlw40OH6u.exe
                    Source: lFlw40OH6u.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.lFlw40OH6u.exe.433c010.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.lFlw40OH6u.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.lFlw40OH6u.exe.43009f0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.lFlw40OH6u.exe.433c010.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.lFlw40OH6u.exe.43009f0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: lFlw40OH6u.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@2/1
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lFlw40OH6u.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghtvdjlj.t0t.ps1Jump to behavior
                    Source: lFlw40OH6u.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: lFlw40OH6u.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: lFlw40OH6u.exeReversingLabs: Detection: 86%
                    Source: lFlw40OH6u.exeVirustotal: Detection: 76%
                    Source: lFlw40OH6u.exeString found in binary or memory: $72794fd6-9579-4364-adda-1580f4b1038b
                    Source: unknownProcess created: C:\Users\user\Desktop\lFlw40OH6u.exe "C:\Users\user\Desktop\lFlw40OH6u.exe"
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe"
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess created: C:\Users\user\Desktop\lFlw40OH6u.exe "C:\Users\user\Desktop\lFlw40OH6u.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess created: C:\Users\user\Desktop\lFlw40OH6u.exe "C:\Users\user\Desktop\lFlw40OH6u.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: lFlw40OH6u.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: lFlw40OH6u.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: lFlw40OH6u.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: dVrB.pdbSHA256 source: lFlw40OH6u.exe
                    Source: Binary string: dVrB.pdb source: lFlw40OH6u.exe
                    Source: lFlw40OH6u.exeStatic PE information: 0xE51857F3 [Thu Oct 18 20:30:43 2091 UTC]
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_07775648 pushfd ; iretd 0_2_077756F9
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_07775638 pushad ; iretd 0_2_07775639
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_0777AE19 push eax; mov dword ptr [esp], edx0_2_0777AE2C
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_077756F0 pushfd ; iretd 0_2_077756F9
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_077726AD push FFFFFF8Bh; iretd 0_2_077726AF
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 0_2_0777283D push FFFFFF8Bh; iretd 0_2_0777283F
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CE06C8 push eax; ret 4_2_00CE0702
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CE0698 push eax; ret 4_2_00CE0712
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CE0698 push eax; ret 4_2_00CE0722
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CE0708 push eax; ret 4_2_00CE0712
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CE0718 push eax; ret 4_2_00CE0722
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CE0728 push eax; ret 4_2_00CE0732
                    Source: lFlw40OH6u.exeStatic PE information: section name: .text entropy: 7.760974990967821

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: lFlw40OH6u.exe PID: 6976, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: lFlw40OH6u.exe, 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, lFlw40OH6u.exe, 00000004.00000002.3293046291.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, lFlw40OH6u.exe, 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: 1970000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: 52E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: 9350000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: A350000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: A550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: B550000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: CE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: 47C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6077Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3575Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exe TID: 6200Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6388Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exe TID: 6152Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exe TID: 6152Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exe TID: 6152Thread sleep time: -99890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exe TID: 5700Thread sleep count: 225 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exe TID: 5700Thread sleep count: 173 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exe TID: 6152Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeThread delayed: delay time: 99890Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: lFlw40OH6u.exe, 00000004.00000002.3293046291.00000000027F2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: lFlw40OH6u.exe, 00000000.00000002.2062342816.00000000014D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: lFlw40OH6u.exe, 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: lFlw40OH6u.exe, 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: lFlw40OH6u.exe, 00000000.00000002.2062342816.00000000014D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: lFlw40OH6u.exe, 00000004.00000002.3291272686.0000000000ABE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeCode function: 4_2_00CE70B0 CheckRemoteDebuggerPresent,4_2_00CE70B0
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe"
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeProcess created: C:\Users\user\Desktop\lFlw40OH6u.exe "C:\Users\user\Desktop\lFlw40OH6u.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Users\user\Desktop\lFlw40OH6u.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Users\user\Desktop\lFlw40OH6u.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.433c010.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lFlw40OH6u.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.43009f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.433c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.43009f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3293046291.000000000281F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3293046291.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lFlw40OH6u.exe PID: 6976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lFlw40OH6u.exe PID: 2704, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\lFlw40OH6u.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.433c010.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lFlw40OH6u.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.43009f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.433c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.43009f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3293046291.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lFlw40OH6u.exe PID: 6976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lFlw40OH6u.exe PID: 2704, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.433c010.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.lFlw40OH6u.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.43009f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.433c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.lFlw40OH6u.exe.43009f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.3293046291.000000000281F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3293046291.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: lFlw40OH6u.exe PID: 6976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: lFlw40OH6u.exe PID: 2704, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		531
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)261
                    Virtualization/Sandbox Evasion                    		Security Account Manager261
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares2
                    Data from Local System                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Software Packing                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp                    		DCSync34
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587592 Sample: lFlw40OH6u.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 24 mail.apexrnun.com 2->24 26 ip-api.com 2->26 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 8 other signatures 2->36 8 lFlw40OH6u.exe 4 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\lFlw40OH6u.exe.log, ASCII 8->22 dropped 38 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->38 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->40 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->42 44 2 other signatures 8->44 12 lFlw40OH6u.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 28 ip-api.com 208.95.112.1, 49707, 80 TUT-ASUS United States 12->28 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 54 Loading BitLocker PowerShell Module 16->54 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    lFlw40OH6u.exe86%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                    lFlw40OH6u.exe76%VirustotalBrowse
                    lFlw40OH6u.exe100%AviraTR/AD.GenSteal.kxktc
                    lFlw40OH6u.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      mail.apexrnun.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://account.dyn.com/lFlw40OH6u.exe, 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, lFlw40OH6u.exe, 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namelFlw40OH6u.exe, 00000000.00000002.2067295283.0000000003320000.00000004.00000800.00020000.00000000.sdmp, lFlw40OH6u.exe, 00000004.00000002.3293046291.00000000027C1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ip-api.comlFlw40OH6u.exe, 00000004.00000002.3293046291.00000000027C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUSfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1587592
                                Start date and time:2025-01-10 15:18:13 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 21s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:9
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:lFlw40OH6u.exe
                                renamed because original name is a hash value
                                Original Sample Name:f148f64274a9eee3839fe520a305a813369a808c803c047cdcb06f78777c445e.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@7/6@2/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 99%
                                • Number of executed functions: 164
                                • Number of non-executed functions: 12
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.109.210.53, 13.107.246.45, 20.12.23.50
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:19:06API Interceptor3x Sleep call for process: lFlw40OH6u.exe modified
                                09:19:08API Interceptor25x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.1Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                driver.exeGet hashmaliciousBlank GrabberBrowse
                                • ip-api.com/json/?fields=225545
                                XClient.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                p.exeGet hashmaliciousUnknownBrowse
                                • ip-api.com/csv/?fields=query
                                rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                                • ip-api.com/json/?fields=225545
                                startup_str_466.batGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                7dtpow.ps1Get hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                x.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ip-api.comPago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                driver.exeGet hashmaliciousBlank GrabberBrowse
                                • 208.95.112.1
                                XClient.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                p.exeGet hashmaliciousUnknownBrowse
                                • 208.95.112.1
                                rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                                • 208.95.112.1
                                startup_str_466.batGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                7dtpow.ps1Get hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                x.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                TUT-ASUSPago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                driver.exeGet hashmaliciousBlank GrabberBrowse
                                • 208.95.112.1
                                XClient.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                p.exeGet hashmaliciousUnknownBrowse
                                • 208.95.112.1
                                rNuevaorden_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                I334hDwRjj.exeGet hashmaliciousBlank Grabber, NjratBrowse
                                • 208.95.112.1
                                startup_str_466.batGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                7dtpow.ps1Get hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                x.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lFlw40OH6u.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\lFlw40OH6u.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2232
                                Entropy (8bit):5.379677338874509
                                Encrypted:false
                                SSDEEP:48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:tLHxvIIwLgZ2KRHWLOug8s
                                MD5:AAC9B2CC385B2595E11AAF60C4652279
                                SHA1:5F14BE9EC829371BFAC9DDBF97BF156C13E03341
                                SHA-256:0C17939EA24BBFE7F727AFB0FABC5BAFC8F2A8A5218BC9B2A7580A54B510EC84
                                SHA-512:3BC9F81C7C9FD417B7F486550EBBE95CF4BA5408E013AB11FA54400F49DB8ACDAD5EE28C95278DACF62E6FDB30071D193EED741616C91E48F9A2ADC92EAAB257
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1pr20adi.pe1.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ghtvdjlj.t0t.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ha4kuhah.cxr.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ofxacord.irr.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.753543676236527
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:lFlw40OH6u.exe
                                File size:707'584 bytes
                                MD5:f809585404b9272d36608b5892c98673
                                SHA1:3eec646d8bc67e230fcaddb53354286585b87d13
                                SHA256:f148f64274a9eee3839fe520a305a813369a808c803c047cdcb06f78777c445e
                                SHA512:6448ff250c6c1f035a53b29d8f9e98b8a19737f0a86cc56f5dc2a84775bb12891c5bbdebfd2ec6f86735ce7fb3adcda0d1b298c9ab2a7e0e1c0dfad4c468351d
                                SSDEEP:12288:hnC9EmEjMLIlCzjAfJHnldnY1Sbst7ne4C4QAwN1tuTuK+N/mES:sFogMJHbnIuisUyeES
                                TLSH:7DE40168564AD613C86A0BB45A71F1B8276C5DEBB102E3138FDD6EEF7927B144C092C3
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....W................0.................. ........@.. .......................@............@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x4ae0f6
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0xE51857F3 [Thu Oct 18 20:30:43 2091 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xae0a30x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x5cc.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0xaba300x70.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xac0fc0xac20087e947593c8a0f05c701e2ed0f20d6b2False0.9127632534495279data7.760974990967821IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0xb00000x5cc0x6002fe7e44aba5de4cb34bfb9320ab27feaFalse0.4270833333333333data4.129753752513529IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xb20000xc0x20053a04d4294224c038afde01e0c9a1a05False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0xb00900x33cdata0.42995169082125606
                                RT_MANIFEST0xb03dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 10, 2025 15:19:09.020746946 CET4970780192.168.2.5208.95.112.1
                                Jan 10, 2025 15:19:09.025691032 CET8049707208.95.112.1192.168.2.5
                                Jan 10, 2025 15:19:09.025862932 CET4970780192.168.2.5208.95.112.1
                                Jan 10, 2025 15:19:09.026885033 CET4970780192.168.2.5208.95.112.1
                                Jan 10, 2025 15:19:09.032167912 CET8049707208.95.112.1192.168.2.5
                                Jan 10, 2025 15:19:09.481456995 CET8049707208.95.112.1192.168.2.5
                                Jan 10, 2025 15:19:09.525691986 CET4970780192.168.2.5208.95.112.1
                                Jan 10, 2025 15:20:00.151213884 CET4970780192.168.2.5208.95.112.1
                                Jan 10, 2025 15:20:00.156322002 CET8049707208.95.112.1192.168.2.5
                                Jan 10, 2025 15:20:00.156414032 CET4970780192.168.2.5208.95.112.1

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 10, 2025 15:19:09.000368118 CET5784753192.168.2.51.1.1.1
                                Jan 10, 2025 15:19:09.007339001 CET53578471.1.1.1192.168.2.5
                                Jan 10, 2025 15:19:10.145459890 CET6152253192.168.2.51.1.1.1
                                Jan 10, 2025 15:19:10.300642014 CET53615221.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 10, 2025 15:19:09.000368118 CET192.168.2.51.1.1.10xabcdStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                Jan 10, 2025 15:19:10.145459890 CET192.168.2.51.1.1.10x8a51Standard query (0)mail.apexrnun.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 10, 2025 15:19:09.007339001 CET1.1.1.1192.168.2.50xabcdNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                Jan 10, 2025 15:19:10.300642014 CET1.1.1.1192.168.2.50x8a51Name error (3)mail.apexrnun.comnonenoneA (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ip-api.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549707208.95.112.1802704C:\Users\user\Desktop\lFlw40OH6u.exe
                                TimestampBytes transferredDirectionData
                                Jan 10, 2025 15:19:09.026885033 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Jan 10, 2025 15:19:09.481456995 CET175INHTTP/1.1 200 OK
                                Date: Fri, 10 Jan 2025 14:19:08 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 66 61 6c 73 65 0a
                                Data Ascii: false


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:09:19:05
                                Start date:10/01/2025
                                Path:C:\Users\user\Desktop\lFlw40OH6u.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\lFlw40OH6u.exe"
                                Imagebase:0xf90000
                                File size:707'584 bytes
                                MD5 hash:F809585404B9272D36608B5892C98673
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2068066023.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:09:19:06
                                Start date:10/01/2025
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\lFlw40OH6u.exe"
                                Imagebase:0xd80000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:09:19:07
                                Start date:10/01/2025
                                Path:C:\Users\user\Desktop\lFlw40OH6u.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\lFlw40OH6u.exe"
                                Imagebase:0x530000
                                File size:707'584 bytes
                                MD5 hash:F809585404B9272D36608B5892C98673
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3293046291.000000000281F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3293046291.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3293046291.00000000027F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.3290919476.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:5
                                Start time:09:19:07
                                Start date:10/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:09:19:09
                                Start date:10/01/2025
                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Imagebase:0x7ff6ef0c0000
                                File size:496'640 bytes
                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:12.2%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:9
                                  Total number of Limit Nodes:0
                                  execution_graph 33457 7779ef0 33459 7779ef3 33457->33459 33458 7779fa9 33458->33458 33459->33458 33461 77788a8 33459->33461 33462 77788b3 33461->33462 33464 777a0b0 33462->33464 33465 77788d8 33462->33465 33464->33458 33466 777a200 SetTimer 33465->33466 33467 777a26c 33466->33467 33467->33464

                                  Executed Functions

                                  Function 0777D3D4 Relevance: .9, Instructions: 931COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2072923700.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7770000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 13bae0fa13577869d4ea36b5bc4986bab668b5dda95d5ae20ba44b1c924a6646
                                  • Instruction ID: 2941c376e6611da064336cf8d0902a02e54a99f0d3c802c045baf2fbfb6f9130
                                  • Opcode Fuzzy Hash: 13bae0fa13577869d4ea36b5bc4986bab668b5dda95d5ae20ba44b1c924a6646
                                  • Instruction Fuzzy Hash: 55A22975E002598FDB15DF68C8586EDB7B2FF89340F1482A9D80AA7351EB74AE85CF40
                                  Function 07771248 Relevance: .7, Instructions: 741COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2072923700.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7770000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 873274dd40815481e09a327af45553a90dc82dc60382681c435b21f28b395ea0
                                  • Instruction ID: ce5c502f57b1981be17bc9bdf31728064f0fb8c3c848b3bdaa2fa59e130d4ea6
                                  • Opcode Fuzzy Hash: 873274dd40815481e09a327af45553a90dc82dc60382681c435b21f28b395ea0
                                  • Instruction Fuzzy Hash: F35245B4700315CFCB289B78C45966D7BE2BFC9386B5088BED507CB364DA759842CB52
                                  Function 07773A50 Relevance: .5, Instructions: 471COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2072923700.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7770000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0bfa725219171dc1a258c76f1771413a99e998f0c9895f294e10f90256ef2a70
                                  • Instruction ID: 558e84c4e086d72779a014483ba455070c8db33a4f8bdb3777d72435d9467439
                                  • Opcode Fuzzy Hash: 0bfa725219171dc1a258c76f1771413a99e998f0c9895f294e10f90256ef2a70
                                  • Instruction Fuzzy Hash: 6B224870A10219CFCF14DF68D884A9DBBB6FF85340F1585A9E809AB265DB70ED85CF90
                                  Function 07773A1F Relevance: .4, Instructions: 409COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2072923700.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7770000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f69867d3faa7c36bf190e9e6e8d8e80d5596bf6f84bbc7b2720cafdcdf85e76
                                  • Instruction ID: a7099664fa57a4d400b642d8a236f2ae5594c4ea239b43553a047ff14e4a640f
                                  • Opcode Fuzzy Hash: 0f69867d3faa7c36bf190e9e6e8d8e80d5596bf6f84bbc7b2720cafdcdf85e76
                                  • Instruction Fuzzy Hash: 7A025E70A00215CFCF14DF28D984A9DBBB6FF85340F1585A9E809AB266DB70ED85CF91
                                  Function 077BACF5 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 225 77bacf5-77bacf6 226 77bac88-77bacba 225->226 227 77bacf8-77bad26 225->227 228 77bad2b-77bad4a 226->228 230 77bad28-77bad29 227->230 231 77bad4f-77bae45 227->231 238 77bae4b-77bae58 228->238 230->228 232 77bad6c-77baddc 230->232 231->238 248 77badde call 77bc36e 232->248 249 77badde call 77bc141 232->249 250 77badde call 77bbc81 232->250 251 77badde call 77bc040 232->251 252 77badde call 77bbd50 232->252 253 77badde call 77bbbd0 232->253 254 77badde call 77bbbc0 232->254 255 77badde call 77bbc66 232->255 244 77bae61-77bae68 238->244 244->238 246 77bade4-77badee 248->246 249->246 250->246 251->246 252->246 253->246 254->246 255->246
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Tejq$Tejq
                                  • API String ID: 0-942063033
                                  • Opcode ID: 4cbf5b8be3abf64d65b84b444f87b4f2a112eae604daf19f2fda66ff076797b0
                                  • Instruction ID: 2b75ad4807f8286a9e90d43ed7b8e03b5cadf4fc32fc6e465870903b0ce08398
                                  • Opcode Fuzzy Hash: 4cbf5b8be3abf64d65b84b444f87b4f2a112eae604daf19f2fda66ff076797b0
                                  • Instruction Fuzzy Hash: E741B1B4E042098FDF08DFE9C8846EDBBB2BF89300F14812AD519AB365D7305946CF50
                                  Function 077B6140 Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 256 77b6140-77b6153 257 77b6172-77b6192 256->257 259 77b619a-77b61c5 257->259 263 77b6155-77b6158 259->263 264 77b615a 263->264 265 77b6161-77b6170 263->265 264->257 264->265 266 77b61c7-77b61cd 264->266 265->263 267 77b61cf 266->267 268 77b61d1-77b61dd 266->268 270 77b61df-77b61ee 267->270 268->270 273 77b61f0-77b61f6 270->273 274 77b6206-77b6219 270->274 275 77b61fa-77b61fc 273->275 276 77b61f8 273->276 275->274 276->274
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8nq$8nq
                                  • API String ID: 0-110844384
                                  • Opcode ID: c1366d8ce4d20b939ec8a8205e45814c5d6dce3271b3fca7ddbd286f8f3a8321
                                  • Instruction ID: 5095017e6b322fdc6d17d390a8986b55fd0c7a5443a779b29bbf18e3df8ea849
                                  • Opcode Fuzzy Hash: c1366d8ce4d20b939ec8a8205e45814c5d6dce3271b3fca7ddbd286f8f3a8321
                                  • Instruction Fuzzy Hash: 88210270B10218CFDB649A7C9908BAF76FAEBC8290B504939DB06D7385DE348D058792
                                  Function 077BF9A8 Relevance: 1.6, Strings: 1, Instructions: 368COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 278 77bf9a8-77bf9bf 279 77bf9c8-77bf9ce 278->279 280 77bf9c1-77bf9c6 278->280 281 77bf9d1-77bf9d5 279->281 280->281 282 77bf9de-77bf9e4 281->282 283 77bf9d7-77bf9dc 281->283 284 77bf9e7-77bf9eb 282->284 283->284 285 77bfa0f-77bfa13 284->285 286 77bf9ed-77bfa0a 284->286 287 77bfa37-77bfa42 285->287 288 77bfa15-77bfa32 285->288 298 77bfc2f-77bfc38 286->298 289 77bfa4a-77bfa50 287->289 290 77bfa44-77bfa47 287->290 288->298 293 77bfc3b-77bfede 289->293 294 77bfa56-77bfa66 289->294 290->289 300 77bfa8b-77bfab0 294->300 301 77bfa68-77bfa86 294->301 308 77bfbf8-77bfbfd 300->308 309 77bfab6-77bfabf 300->309 306 77bfbef-77bfbf2 301->306 306->308 306->309 308->293 310 77bfbff-77bfc02 308->310 309->293 311 77bfac5-77bfadd 309->311 314 77bfc06-77bfc09 310->314 315 77bfc04 310->315 319 77bfaef-77bfb06 311->319 320 77bfadf-77bfae4 311->320 314->293 316 77bfc0b-77bfc2d 314->316 315->298 316->298 329 77bfb08 319->329 330 77bfb0e-77bfb18 319->330 320->293 322 77bfaea-77bfaed 320->322 322->319 324 77bfb1d-77bfb22 322->324 324->293 326 77bfb28-77bfb37 324->326 335 77bfb39 326->335 336 77bfb3f-77bfb4f 326->336 329->330 330->308 335->336 336->293 340 77bfb55-77bfb58 336->340 340->293 341 77bfb5e-77bfb61 340->341 343 77bfb63-77bfb67 341->343 344 77bfbb2-77bfbc4 341->344 343->293 345 77bfb6d-77bfb73 343->345 344->306 350 77bfbc6-77bfbdb 344->350 348 77bfb75-77bfb7b 345->348 349 77bfb84-77bfb8a 345->349 348->293 351 77bfb81 348->351 349->293 352 77bfb90-77bfb9c 349->352 357 77bfbdd 350->357 358 77bfbe3-77bfbed 350->358 351->349 359 77bfba4-77bfbb0 352->359 357->358 358->308 359->344
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 4'jq
                                  • API String ID: 0-3676250632
                                  • Opcode ID: deded13d783934c5103e7427e8cbcc8e3da39bb119d3200fccb08063261be2ed
                                  • Instruction ID: 6662f02ab13de0c3c30d433f7525935513e6cdffe497bac84c3a6bca99e3fde9
                                  • Opcode Fuzzy Hash: deded13d783934c5103e7427e8cbcc8e3da39bb119d3200fccb08063261be2ed
                                  • Instruction Fuzzy Hash: F4E1B1B0B00209DFCB15DFB9E954BAE7BB6FF88340F108459D805AB365CA389D86CB54
                                  Function 0777A290 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 387 777a290-777a292 388 777a294-777a29a 387->388 389 777a29b-777a29c 387->389 388->389 390 777a2a3-777a2b6 388->390 391 777a22e-777a243 389->391 392 777a29e 389->392 398 777a353-777a357 390->398 399 777a2bc-777a2cd 390->399 393 777a245-777a248 391->393 394 777a24d-777a26a SetTimer 391->394 392->390 393->394 395 777a273-777a287 394->395 396 777a26c-777a272 394->396 396->395 402 777a2cf-777a2d8 399->402 403 777a2da 399->403 404 777a2dc-777a2e1 402->404 403->404 405 777a2e3-777a2e6 404->405 406 777a358-777a39a 404->406 407 777a2f2-777a314 405->407 408 777a2e8-777a2eb 405->408 423 777a3a3-777a3a4 406->423 424 777a39c-777a3a2 406->424 411 777a325-777a334 407->411 420 777a316-777a31f 407->420 408->407 409 777a2ed-777a2f0 408->409 409->407 409->411 416 777a336-777a34e 411->416 416->398 420->411 423->416 426 777a3a6 423->426 424->423 425 777a3ab-777a3d9 424->425 428 777a3e6-777a408 425->428 429 777a3db-777a3e5 425->429 426->425 431 777a416-777a41e 428->431 432 777a40a-777a40c 428->432 432->431
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2072923700.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7770000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 795aa6b494f987b44d9f0bf3d2352f1780a8fd4bdea9f98fadd49c9049df23e8
                                  • Instruction ID: a6e4343e35456a4fcebcad851b321713639139b16253e84778fb105bb5759fb1
                                  • Opcode Fuzzy Hash: 795aa6b494f987b44d9f0bf3d2352f1780a8fd4bdea9f98fadd49c9049df23e8
                                  • Instruction Fuzzy Hash: 8731E5B1A042018FEB149F6CD448AADBFE1EFD6310F1A84AAE508DB3A2C6759C45CB51
                                  Function 0777A1D0 Relevance: 1.6, APIs: 1, Instructions: 64timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 433 777a1d0-777a1ee
                                  APIs
                                  • SetTimer.USER32(?,01A16428,?,?,?,?,?,?,0777A0B0,00000000,00000000,?), ref: 0777A25D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2072923700.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7770000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: Timer
                                  • String ID:
                                  • API String ID: 2870079774-0
                                  • Opcode ID: 2af4c559bf88efbe0fe2a04c172595a4fd7eaaa13a0a57b9825b0a843b13ca17
                                  • Instruction ID: 8eab2a279900ef77bd520f26419abff2e4f118371d5a12466ce85847fdf8e4f2
                                  • Opcode Fuzzy Hash: 2af4c559bf88efbe0fe2a04c172595a4fd7eaaa13a0a57b9825b0a843b13ca17
                                  • Instruction Fuzzy Hash: 5921A1B48083899FDB11CF99D844BDEBFF4AF0A310F15849AD458AB252C3796944CFA2
                                  Function 077788D8 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 435 77788d8-777a26a SetTimer 437 777a273-777a287 435->437 438 777a26c-777a272 435->438 438->437
                                  APIs
                                  • SetTimer.USER32(?,01A16428,?,?,?,?,?,?,0777A0B0,00000000,00000000,?), ref: 0777A25D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2072923700.0000000007770000.00000040.00000800.00020000.00000000.sdmp, Offset: 07770000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7770000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: Timer
                                  • String ID:
                                  • API String ID: 2870079774-0
                                  • Opcode ID: 89c34ccefc9b2ebc1b5a01cbd85ee672ad44559029446d2d88498d3d455014b6
                                  • Instruction ID: 3baedcfe65fd3803afb217da42bfafa0f6807824a54e6bff8a5592a7398e32f5
                                  • Opcode Fuzzy Hash: 89c34ccefc9b2ebc1b5a01cbd85ee672ad44559029446d2d88498d3d455014b6
                                  • Instruction Fuzzy Hash: 8311F5B58003499FDB10DF99D445BDEFBF8EB49310F10845AE918B7200C379A944CFA5
                                  Function 077B7EA8 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 580 77b7ea8-77b7ed0 581 77b7ef2-77b7ef7 580->581 582 77b7ed2-77b7ed5 581->582 583 77b7ede-77b7ef0 582->583 584 77b7ed7 582->584 583->582 584->581 584->583 585 77b7f3a-77b7f3b 584->585 586 77b7f7a-77b7f7c 584->586 587 77b7ef9-77b7f03 584->587 588 77b7f2c-77b7f38 584->588 589 77b7f42-77b7f57 584->589 590 77b7fa0-77b7faa 584->590 591 77b7f25-77b7f2a 584->591 585->589 593 77b7f7e-77b7f84 586->593 594 77b7f96-77b7f9f 586->594 595 77b7f1e-77b7f23 587->595 596 77b7f05-77b7f0f 587->596 588->582 599 77b7f59-77b7f60 589->599 600 77b7f73-77b7f78 589->600 597 77b7fbd-77b7fcf 590->597 598 77b7fac-77b7fb8 590->598 591->582 602 77b7f88-77b7f94 593->602 603 77b7f86 593->603 605 77b7f1c 595->605 596->597 604 77b7f15 596->604 611 77b8026-77b8029 597->611 598->582 599->597 607 77b7f62-77b7f69 599->607 601 77b7f6e 600->601 601->582 602->594 603->594 604->605 605->582 607->601 612 77b802b 611->612 613 77b8032-77b8044 611->613 612->613 614 77b80e8-77b80ec 612->614 615 77b80b8-77b80bf 612->615 616 77b80ae-77b80b3 612->616 617 77b80ad 612->617 618 77b808c-77b8091 612->618 619 77b8093-77b80a8 612->619 620 77b80d2-77b80e5 612->620 621 77b8060-77b806e 612->621 622 77b8046-77b804c 612->622 613->611 623 77b80fc-77b8106 614->623 625 77b80ee-77b80f7 614->625 615->623 628 77b80c1-77b80cd 615->628 616->611 617->616 618->611 619->611 626 77b8070-77b8074 621->626 627 77b8085-77b808a 621->627 622->623 624 77b8052-77b805e 622->624 624->611 625->611 626->623 630 77b807a-77b807e 626->630 627->618 632 77b8083 627->632 628->611 630->632 632->611
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: F
                                  • API String ID: 0-1304234792
                                  • Opcode ID: 145dad4c6f79610514c2b70c746515d1a1b1ab98da97a6f14859bdcf4ddb62bb
                                  • Instruction ID: d859325293411c962e87304b12a7ab354aa13fc17036d30f871abb436229df2e
                                  • Opcode Fuzzy Hash: 145dad4c6f79610514c2b70c746515d1a1b1ab98da97a6f14859bdcf4ddb62bb
                                  • Instruction Fuzzy Hash: 16519CB1A18215CFC7348FADC8407FAB7F8AF85381F088567E566D7292D334A941C7A6
                                  Function 077B0040 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: (nq
                                  • API String ID: 0-2756854522
                                  • Opcode ID: 8a85d46e116295fd44d19d265826838df18dc9c71cba77c1e6aef336e6b15669
                                  • Instruction ID: 9ba5eb0787e13451135cd992e02c499cf8825cb5e7c19dfc94c02cbe18a0bd4c
                                  • Opcode Fuzzy Hash: 8a85d46e116295fd44d19d265826838df18dc9c71cba77c1e6aef336e6b15669
                                  • Instruction Fuzzy Hash: 224183B0A01209AFDB18DF69D4587AFBAE6FFC8240F108929E415AB390EF74DD41CB51
                                  Function 077BAC41 Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Tejq
                                  • API String ID: 0-2468842661
                                  • Opcode ID: e0bac8cceccc2e154d29e938423e338a2f4fbca26ee66a241b781ddd56fa2f67
                                  • Instruction ID: 3a23528a4c8dda4a907e30a875a3f37353ceeabbc8b3f65c9b1594b05ee57c2e
                                  • Opcode Fuzzy Hash: e0bac8cceccc2e154d29e938423e338a2f4fbca26ee66a241b781ddd56fa2f67
                                  • Instruction Fuzzy Hash: FE2116B0D042488BDF18DFAAC9453EEBBF6BF89340F10C02AD419AB358EB7418068B50
                                  Function 077B6130 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 8nq
                                  • API String ID: 0-2810462305
                                  • Opcode ID: 52f718852f5b50be158eeeee94f17a1e49fa811054e103f6c0325989ef0f1e69
                                  • Instruction ID: fdb565871e528efbb3c6ffc0ff214d6ecc2931cdb81a69b29e6009f7c93e8cae
                                  • Opcode Fuzzy Hash: 52f718852f5b50be158eeeee94f17a1e49fa811054e103f6c0325989ef0f1e69
                                  • Instruction Fuzzy Hash: 3A1166B0B04208CFCB149E789908BAE77B6ABC9281F14483AD702DB282EA348D018752
                                  Function 077BAC50 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Tejq
                                  • API String ID: 0-2468842661
                                  • Opcode ID: 83cae1fa01110bd053af8523e9c829eea49ff0f7357bf7b559e49eb974dd89bd
                                  • Instruction ID: 5761a6021957ebba6af56409e807a2ce129cd403b6623c52904cf34dd482df8b
                                  • Opcode Fuzzy Hash: 83cae1fa01110bd053af8523e9c829eea49ff0f7357bf7b559e49eb974dd89bd
                                  • Instruction Fuzzy Hash: F321C8B0D056598BDF18DFEAC5456DEBBF6BF99340F14C029C419AB358EB741806CB50
                                  Function 077BE39D Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: T
                                  • API String ID: 0-3187964512
                                  • Opcode ID: 75097ed31dfacfc9b85131d673c477f346c4d17130ff94285bb6b2a8f6788f53
                                  • Instruction ID: 5bca0d41e3665d8d06c388bc809e6efb78fba8576560ef4d7f2b274787727a8d
                                  • Opcode Fuzzy Hash: 75097ed31dfacfc9b85131d673c477f346c4d17130ff94285bb6b2a8f6788f53
                                  • Instruction Fuzzy Hash: 7911CEB4906204CFCF10CF98E148AEDBBB5FB09395F10D628E4169B391D7789946CF01
                                  Function 077BAD6B Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Tejq
                                  • API String ID: 0-2468842661
                                  • Opcode ID: 6c0a9477c46030a37906cf909d2f35b97276ca929bc6cb928eecb966523280da
                                  • Instruction ID: f0cc6dd553f71cd0cf6c48bcf80b55a5cd5257f2f37e8f3466d52b80308afb96
                                  • Opcode Fuzzy Hash: 6c0a9477c46030a37906cf909d2f35b97276ca929bc6cb928eecb966523280da
                                  • Instruction Fuzzy Hash: AA118075E002099FCF09DFE8D8849ADFBB2FF88310F10816AE919AB364C6325956CF40
                                  Function 077B30C0 Relevance: .3, Instructions: 337COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2c8040f42f70b22bf7b2d854ee3939f54e1c8b0cdd51c14bd8cc9d7005c441e1
                                  • Instruction ID: 4130f4487ca11a6d99759657e323f08a0eebeec8d834ed58cac805629b72078a
                                  • Opcode Fuzzy Hash: 2c8040f42f70b22bf7b2d854ee3939f54e1c8b0cdd51c14bd8cc9d7005c441e1
                                  • Instruction Fuzzy Hash: F3E1FD71E1061A8FCF10DFA8C8546EDBBB5FF49310F10869AD549B7255EB30AA89CF90
                                  Function 077B30F0 Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f33aaf740d0287ff72aa88a1d790cb8e2d74927034fbf2acb8d1ee802596b274
                                  • Instruction ID: b8f231d32b31b6c74adc4384e6d6b955bb27054ca3456d489623ba0222730b17
                                  • Opcode Fuzzy Hash: f33aaf740d0287ff72aa88a1d790cb8e2d74927034fbf2acb8d1ee802596b274
                                  • Instruction Fuzzy Hash: 1CF1CB71E1061ACBCF10DFA8C954AEDB7B5FF59300F108699E94977214EB70AA85CF90
                                  Function 077B3700 Relevance: .3, Instructions: 304COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bce052aa8d56f2823eea45f837cf97bc92da2eabf341ce076d3b773db9ffa9fd
                                  • Instruction ID: 1bbe6550aadabbc36204fb35e60407a76e6412ec7baea5704f9880065c10d4a3
                                  • Opcode Fuzzy Hash: bce052aa8d56f2823eea45f837cf97bc92da2eabf341ce076d3b773db9ffa9fd
                                  • Instruction Fuzzy Hash: 48C15C71A10219CFCB24DF68C8447EDB7B2FF85344F1585A9D446BB250EB30AE85CB91
                                  Function 077B7ABE Relevance: .3, Instructions: 263COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 908504adbfbd45179c867fd0838d822ac21360d21dbca04bcf31af80961de143
                                  • Instruction ID: eec4aef376e11d9acf3e2e8f4fa0e5d3480cd23b848a376ee459401e10f24656
                                  • Opcode Fuzzy Hash: 908504adbfbd45179c867fd0838d822ac21360d21dbca04bcf31af80961de143
                                  • Instruction Fuzzy Hash: 7AB1BFB0A145558FCB28CBB8C4507FEBBF1BF86354F10895BD5669B281D334E941CB91
                                  Function 077B2380 Relevance: .2, Instructions: 207COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 16b4ad1295bfa1c366bed0608e5de9b81f3f02a38ad96d17340ef17c7f816669
                                  • Instruction ID: 2ea5db488275ea9c8ee32e0cf1173fba0114807f1e99d64533b94ce6d44610a5
                                  • Opcode Fuzzy Hash: 16b4ad1295bfa1c366bed0608e5de9b81f3f02a38ad96d17340ef17c7f816669
                                  • Instruction Fuzzy Hash: 6881C2B0A1121ADFCB21EF68D8987EDBFB0FF45380F114469D446AB2A5EB30D965CB41
                                  Function 077B7B68 Relevance: .2, Instructions: 203COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bce84d2c2f7833093a356e3933dd67aa96cbf52eebc838021060c5aa7a91b925
                                  • Instruction ID: 8114b2ba6c00282128bdf5dab49ba5d19c9704905149adcbc697e952d3a692f3
                                  • Opcode Fuzzy Hash: bce84d2c2f7833093a356e3933dd67aa96cbf52eebc838021060c5aa7a91b925
                                  • Instruction Fuzzy Hash: 5B81A1B0A141598FCB28CBA8C5507EEBBF1BF86340F5084ABD4669B385D734DC42CB95
                                  Function 077B7B5B Relevance: .2, Instructions: 196COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c9ae056ba99e324942652f449e1d6e713e59860a92bffa66f1f338124e8dba0
                                  • Instruction ID: 3d35561d212a1b99d71561279c67f094a56cadadd7578b10bc5105de45285555
                                  • Opcode Fuzzy Hash: 8c9ae056ba99e324942652f449e1d6e713e59860a92bffa66f1f338124e8dba0
                                  • Instruction Fuzzy Hash: D481A2B0A141598FCB24CFA9C5907EEBBF1BF86340F5084AAD4569B385D7349C42CB94
                                  Function 077B8290 Relevance: .2, Instructions: 175COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e7b50e011014fdcef09ac404408a198bdbc6c5f61102715f6127356b19a92ce1
                                  • Instruction ID: d28bd941308caceaac7e45cd9ee7e03ff5337eaec634d1fb55aeb7bc6e56e35c
                                  • Opcode Fuzzy Hash: e7b50e011014fdcef09ac404408a198bdbc6c5f61102715f6127356b19a92ce1
                                  • Instruction Fuzzy Hash: C96128B0A05241CFCB318B29C8407AEBBEAAF82351F1485ABD556CB2D6D734C842C793
                                  Function 077B7BE9 Relevance: .2, Instructions: 174COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74dd6fedb7b92e09150bb0c0f68fba6cfa0ccce6b4be1288c4e4b0a9b81fc0fe
                                  • Instruction ID: d40165efaf970e1e73656596f2f350d5b72781b8fe8b54edcef333df552e50f8
                                  • Opcode Fuzzy Hash: 74dd6fedb7b92e09150bb0c0f68fba6cfa0ccce6b4be1288c4e4b0a9b81fc0fe
                                  • Instruction Fuzzy Hash: 2A618FB0A145598FCB14CFA8C590BEEBBF1BF86340F60845AD0669B285D734DC42CB94
                                  Function 077BBC66 Relevance: .2, Instructions: 168COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 799e081186aea8932004b862e5419b86a2449f5a5c56b454223f616c3a9814de
                                  • Instruction ID: 7a37a667720ded128451bac872a2331c01585d0c31e8ccde6f5efca2e144f880
                                  • Opcode Fuzzy Hash: 799e081186aea8932004b862e5419b86a2449f5a5c56b454223f616c3a9814de
                                  • Instruction Fuzzy Hash: 79714AB4A14228CFCB21CF54C584BEDB7B6BF49380F51D595E80AAB316D730A985CF60
                                  Function 077B73F7 Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c31f70f9ed6f591ccb9f3ee8e28c317cc854cda94b41c8aad6f914ffa55b970e
                                  • Instruction ID: ef3e238c89584b15208ddeb719db76359f10bdcdb806a7fd9a1e21c788817cc8
                                  • Opcode Fuzzy Hash: c31f70f9ed6f591ccb9f3ee8e28c317cc854cda94b41c8aad6f914ffa55b970e
                                  • Instruction Fuzzy Hash: B851E5B0F001459FDF18DFA9C9517EEBBB2BF85350F508426E956AB3D4CA349842CB91
                                  Function 077B4F1B Relevance: .2, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1d9b172dc2302c76d89ff386120f89829a54401f09556f134e876e357821042c
                                  • Instruction ID: 467dd74cbede3ad69d87d35c12673a272f9440101465608621464e1d6b4b9673
                                  • Opcode Fuzzy Hash: 1d9b172dc2302c76d89ff386120f89829a54401f09556f134e876e357821042c
                                  • Instruction Fuzzy Hash: 5851E131F002559FCB04ABB8D4556AEBBB2BF89300F55C8A9D841AB399CF356D09CB81
                                  Function 077B4F28 Relevance: .2, Instructions: 152COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 303ca6ac83a492d339534e66620fe352994fb2173ed87f05aa8ecb2c725344d6
                                  • Instruction ID: ac7fae2f798d2734b010e8dbdef84e3bdad02364888f6712afe7c94a3cffb65b
                                  • Opcode Fuzzy Hash: 303ca6ac83a492d339534e66620fe352994fb2173ed87f05aa8ecb2c725344d6
                                  • Instruction Fuzzy Hash: 5451B131F001559BDB04ABB8D455AAEBBB2BFC8300F54C8A9DC416B399CF356D59CB81
                                  Function 077B0338 Relevance: .1, Instructions: 145COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4f1fbd83cb21c7dc86906d0b78115cef5b203180dd8ae546d52b20d1e5162da8
                                  • Instruction ID: 4a84ed62149fa5da70fa894c2ada88682c5e06186327091877fb2be0266c7206
                                  • Opcode Fuzzy Hash: 4f1fbd83cb21c7dc86906d0b78115cef5b203180dd8ae546d52b20d1e5162da8
                                  • Instruction Fuzzy Hash: BF516DB0A00209CFCB29DF68D5586EEBBF2FF89354F148469E405AB265DB31DC46CB50
                                  Function 077B41C8 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e83d212c22d34cce71724496d2b1a9f50418404ffd212c94317c3877cb9cb24d
                                  • Instruction ID: 8c2b235c2dca880be62a4e0b429a196522cc23da5b5231bbb892584609c51396
                                  • Opcode Fuzzy Hash: e83d212c22d34cce71724496d2b1a9f50418404ffd212c94317c3877cb9cb24d
                                  • Instruction Fuzzy Hash: 8C41BFB0B01206DFCB24DBA4D948AEEB7F6FF89240F148469E906D7356DA30D805CB51
                                  Function 077B3E68 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69127af9d1ecf6b8fc5f7ac3ef2596b6f26a8b2cedec08dccfa93451244708f6
                                  • Instruction ID: dea451921ea30ce08a50e262137535cb4bf1b1e67e187da6979ee45ab4ca06a2
                                  • Opcode Fuzzy Hash: 69127af9d1ecf6b8fc5f7ac3ef2596b6f26a8b2cedec08dccfa93451244708f6
                                  • Instruction Fuzzy Hash: 83518271A10609DFCB04EFA8D4849EDF7B5FF89310F10856AE516AB320EB70A945CB91
                                  Function 077BB418 Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d318c249b199b82ecb9ae9d4f04709642601e9bda716ac35b0bf8f5b19529578
                                  • Instruction ID: 333f5222c27e8bfde69c9dab31dda586b56786db5dab3633668c0c74ecf0871d
                                  • Opcode Fuzzy Hash: d318c249b199b82ecb9ae9d4f04709642601e9bda716ac35b0bf8f5b19529578
                                  • Instruction Fuzzy Hash: 8E4106F4E092198FDB18CFAAD4446EEBBF6BF89341F14D069D819A2261D7348941CB64
                                  Function 077B2170 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2597979975089e32a672db181832bd2000c21f3f2593cd35cc13c62402a8b03b
                                  • Instruction ID: 90d73379f3dd36b1e8bbdc54f59988991c3ba87f01dc6f5368dba264bff9c669
                                  • Opcode Fuzzy Hash: 2597979975089e32a672db181832bd2000c21f3f2593cd35cc13c62402a8b03b
                                  • Instruction Fuzzy Hash: 0E4148B1A112099FDB14DFA8D858AEDBBB2BF89350F158569E801EB3A1DB30D841CB50
                                  Function 077B0328 Relevance: .1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 96e6881b7aa7fdb366717bf6731c91894adf44f49898bc43fe3fcf305859a63b
                                  • Instruction ID: d22b0b90a24d0a583b65bf29b35c6ec55c7ce703ec2f78a18fbc0669715ca315
                                  • Opcode Fuzzy Hash: 96e6881b7aa7fdb366717bf6731c91894adf44f49898bc43fe3fcf305859a63b
                                  • Instruction Fuzzy Hash: CB414FB0B002059FCB28DF69D5987DEBBF2AF89250F24846DE405AB365DB71CC46CB50
                                  Function 077B2180 Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e33a4055f871771ffce24f37fbad258b70ce0b84db40474a8cb52c91f34ed7f4
                                  • Instruction ID: 29e5a419abddd1ef98f2229664f256523756d9424471ffb919fb9a7d21de2e6c
                                  • Opcode Fuzzy Hash: e33a4055f871771ffce24f37fbad258b70ce0b84db40474a8cb52c91f34ed7f4
                                  • Instruction Fuzzy Hash: A1414970A112099FDB14DFA9D854BEDBBB2BF89350F158569E801EB3A1DB30EC41CB91
                                  Function 077B52D8 Relevance: .1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 91f5511903fdbac29066a2dd909e538907b3c912e279c5fa4cb4602f004b09f5
                                  • Instruction ID: d744386a45cb1eb9cb5a7ab606c4cb7d5542882e6229ab558aa06aefa05d1c53
                                  • Opcode Fuzzy Hash: 91f5511903fdbac29066a2dd909e538907b3c912e279c5fa4cb4602f004b09f5
                                  • Instruction Fuzzy Hash: D3417FB0D11208DFCB14DFA8D69969EBBB2FF81304F24C49AC4265B3A5D7748A05CB86
                                  Function 077B41A0 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 02fd9c678d4634cdbbf29514cac05e28374814d3178ffe3dd4c1a7dad7701c8a
                                  • Instruction ID: 6e1f11686435223314512cccac13555112101a17281adf9c6b529934d54a46cd
                                  • Opcode Fuzzy Hash: 02fd9c678d4634cdbbf29514cac05e28374814d3178ffe3dd4c1a7dad7701c8a
                                  • Instruction Fuzzy Hash: 6631F8B5606281DFCB25DB64D9487EE7BF2BF86240F14406AE815D7253CB34C805DB52
                                  Function 077B514E Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 01bfffb3f0dc6063323a4d5e792df038b2b6d4759f11ad85175e3462dc812047
                                  • Instruction ID: 055794937073db0dfdb623a3b74ff032fa52f2b8ff08340e8165916ee76780eb
                                  • Opcode Fuzzy Hash: 01bfffb3f0dc6063323a4d5e792df038b2b6d4759f11ad85175e3462dc812047
                                  • Instruction Fuzzy Hash: 1631C6B471E3804FD726477498293A93FF29B87251F0944A7E542CB2D7CD388C05C762
                                  Function 077BC6AF Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6135b3a624ada5f508e4f3bb42ead6e55a8e4242607edef84b9d0a096e5eb3d3
                                  • Instruction ID: 0f9fd3187feea503126087f1c165aceb2ca6cd84491a95a417b7cd67499288cd
                                  • Opcode Fuzzy Hash: 6135b3a624ada5f508e4f3bb42ead6e55a8e4242607edef84b9d0a096e5eb3d3
                                  • Instruction Fuzzy Hash: 8231F8B4915109DFCB16CFA9C1809EDF7BAFB4E381B10E561D819AB216C731E992CB60
                                  Function 077B4018 Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a8f3fe248aac32a9ed06b0d1d64a92c6bc1f1815c2d366bb8563f62f09656a9f
                                  • Instruction ID: 332d61665379b962a3413ab96777f578c832872f23f776abcf403a75502d2e92
                                  • Opcode Fuzzy Hash: a8f3fe248aac32a9ed06b0d1d64a92c6bc1f1815c2d366bb8563f62f09656a9f
                                  • Instruction Fuzzy Hash: E631C3B1E00219DFCB24EFA8D4449ADBBF6FF88350F10856AE901AB325DB709C45CB91
                                  Function 077BE0E1 Relevance: .1, Instructions: 94COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d43e5cadcc27081b70ebbf0cce9fe20b03cd99c0f25f69d55b1d56d70f65d6db
                                  • Instruction ID: b60e2f9a5f87fff45496b5a0503fa79e8fec4580a0f0facce8423e3dd7a73b4f
                                  • Opcode Fuzzy Hash: d43e5cadcc27081b70ebbf0cce9fe20b03cd99c0f25f69d55b1d56d70f65d6db
                                  • Instruction Fuzzy Hash: 70416AB4A02218DFCB60DF28EA45BAC7BBAFB85390F2091A4D409D7315DB744D86CF51
                                  Function 077B8363 Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 100bc5b0c642dfc3f3a1d37246b32313315204fcd7c8b1fbfcb5a8512f181880
                                  • Instruction ID: 185e7a397c1a101d4966752995c2515b0cbbd4ea70b01d2cd5e5f8c86490b143
                                  • Opcode Fuzzy Hash: 100bc5b0c642dfc3f3a1d37246b32313315204fcd7c8b1fbfcb5a8512f181880
                                  • Instruction Fuzzy Hash: 5931FEB0915245CFCB24CF29C8407FEBBF9FB46341F1089AAD556A7241E3389945CBA3
                                  Function 077BE345 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84727dea03c46bc672a7b2628235102649f64f0b884403f40c55bbbf315c5769
                                  • Instruction ID: bf4070da1e39c6611218260e7db3c57d9b2907069c10e535de71cd0f175d90f6
                                  • Opcode Fuzzy Hash: 84727dea03c46bc672a7b2628235102649f64f0b884403f40c55bbbf315c5769
                                  • Instruction Fuzzy Hash: 104179B4A02209CFDB60DF68EA49BECBBB5FB45384F1082A5E409AB344C7745D86CF10
                                  Function 077B5190 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1b4ef67bf1f9396b74ac4ce9a40fc4a23785de024df15f0703beccb8f1d42e17
                                  • Instruction ID: 22e6b052fd61e88610d5885e65acbd26116fa31c287999ef95fc027ced3a415f
                                  • Opcode Fuzzy Hash: 1b4ef67bf1f9396b74ac4ce9a40fc4a23785de024df15f0703beccb8f1d42e17
                                  • Instruction Fuzzy Hash: 3E21A1B07162048FDB245BB8981936A3BE7EBC9251F14842AF916C7385DE358C12C791
                                  Function 077B0088 Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c857adefa59eedc6fc28bd1399ccd350af07973f4499590f6f623ab125592b9e
                                  • Instruction ID: f5359c0627eb1ab197a993c16d7e016702abcdead359bdcac35dee02b1477664
                                  • Opcode Fuzzy Hash: c857adefa59eedc6fc28bd1399ccd350af07973f4499590f6f623ab125592b9e
                                  • Instruction Fuzzy Hash: D03150B460130AEFDB24DF64C858BAFBBF6FF89740F108819E4169B690DB759901CB50
                                  Function 077BE042 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa5d80cf29854357dd4cb6dc0dc8a3c187ada2eb1f569dbcc105030596a900d6
                                  • Instruction ID: 6210c8dc6c146ff5fad233c9d6bbcb87f81357a6c236110c2d8c5ffe29b4d283
                                  • Opcode Fuzzy Hash: fa5d80cf29854357dd4cb6dc0dc8a3c187ada2eb1f569dbcc105030596a900d6
                                  • Instruction Fuzzy Hash: 6431A0B0A06105CFDB14DFACE588AEDBBF9FB4A384F109524E0169B355D778A841CF11
                                  Function 015ED4C4 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2064047135.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_15ed000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fdbb3aef0502bac56b5479c2c28a5f71a10cc30460ea4a0cf3177d13499b632a
                                  • Instruction ID: aaf2f5694abc7eac8b42281d0cf6fce9d08912903bc1d7d2a922f6c86d3c1a68
                                  • Opcode Fuzzy Hash: fdbb3aef0502bac56b5479c2c28a5f71a10cc30460ea4a0cf3177d13499b632a
                                  • Instruction Fuzzy Hash: C421F471900240DFDB09DF58D9C4B2ABFB5FB88318F20C56AD9090E256C33AD416CAA1
                                  Function 077BC5F3 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9c7645872b1036d4bad393faa85d0a7d9951b1587bf413930fe412a9a63c595
                                  • Instruction ID: 0af8d15b8fe9a6dd61c1d5bf2896096f1978707b839fdd77ce9434610067c2d0
                                  • Opcode Fuzzy Hash: f9c7645872b1036d4bad393faa85d0a7d9951b1587bf413930fe412a9a63c595
                                  • Instruction Fuzzy Hash: 1221B0B0E192548FCB1BCF79C540AE9BFB6AF8E254F04D0AAE808AB252D7344441CF60
                                  Function 077B2F4B Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 781528842256b62741928aec36603db3d94ea758654d91edc7b70e11d4d5c22d
                                  • Instruction ID: 90bf8cab32e8f337c243d26784c81566f0a38e198eee43313e6c7d0d80faf8f8
                                  • Opcode Fuzzy Hash: 781528842256b62741928aec36603db3d94ea758654d91edc7b70e11d4d5c22d
                                  • Instruction Fuzzy Hash: BD2183B4B002058FCF04DF68C8949EEB7B5FF89240B50856AE905E7355EB30ED45CBA0
                                  Function 077B2F58 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e8318dcd56879b3252d344f66c6309068a5c2e0e376ee24162e7372c81bce631
                                  • Instruction ID: 7c7fc9ed5e644a35b838252bc17faffe13cdfaab36df6ad6cc447b2f1bcac12b
                                  • Opcode Fuzzy Hash: e8318dcd56879b3252d344f66c6309068a5c2e0e376ee24162e7372c81bce631
                                  • Instruction Fuzzy Hash: A1213075A0020A8FCF14EF69C8949EEF7B5FF89240B508669D905B7355EB30E945CBA0
                                  Function 077BB5A8 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2abce5375fca2911d67610208578963a8fe4a0dbd0c7d1a32c3e4add0110680b
                                  • Instruction ID: bf8119c9602ddbacd6b998cb957658a6488b8e841d608a6ded817ec7c6b80f60
                                  • Opcode Fuzzy Hash: 2abce5375fca2911d67610208578963a8fe4a0dbd0c7d1a32c3e4add0110680b
                                  • Instruction Fuzzy Hash: 6C212AF4E09209DFCB50CFA9C580AEEBBF5AF4A350F609195D808A7761D7309E41CB52
                                  Function 077B0258 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb74cd709e50b12bd72b06779f2b76b7add9cb659d2cfaf1ca8f03a0ac774d27
                                  • Instruction ID: 1bc785cabc36ab0fb29dd0de108f52d93786a4fdc708c407bf9faa65cb2511f6
                                  • Opcode Fuzzy Hash: bb74cd709e50b12bd72b06779f2b76b7add9cb659d2cfaf1ca8f03a0ac774d27
                                  • Instruction Fuzzy Hash: 60119A716003028BD735DA2AE598BDBB79AEFC0350F14CD3AD94A46678DF74D489C650
                                  Function 077BF4E8 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5325c2c37a1d0fdb8ce53fdf27b7541d1ca000c51ebebc5fa9b7427f59b0541
                                  • Instruction ID: 7f60273f67d841fcb281d09edbb9b78850e4a2bd8f111aa630c8228fb5f3488f
                                  • Opcode Fuzzy Hash: a5325c2c37a1d0fdb8ce53fdf27b7541d1ca000c51ebebc5fa9b7427f59b0541
                                  • Instruction Fuzzy Hash: 421154B0F002159BCB689E799C547BB7AA6BF85BA0F14852DD906C7384EA34CE0187D0
                                  Function 077BBBC0 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 257a8b1b219bbd33be6ea6a77b9b88eb3017f16a254c4787eb0b7b458874d113
                                  • Instruction ID: 402f3c10641b2aae8210bf8d7a69e2fe61069c1cbf961a28e89f9b00773fea1e
                                  • Opcode Fuzzy Hash: 257a8b1b219bbd33be6ea6a77b9b88eb3017f16a254c4787eb0b7b458874d113
                                  • Instruction Fuzzy Hash: 6E2129B1D016189BEB29CF6BD9443DEBFF6AFC9350F04C06AD4087A264DB7509558F90
                                  Function 077BA660 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0555e4f4e8aff915faa47315f046620281650012180f39b9e6677dd8be18309a
                                  • Instruction ID: 00926c33227ce8cdf007d293ea0c4779467252d8200e7b3935884fdf38df341f
                                  • Opcode Fuzzy Hash: 0555e4f4e8aff915faa47315f046620281650012180f39b9e6677dd8be18309a
                                  • Instruction Fuzzy Hash: 46215BF490A245CFCB21EF58C9846EDBBBAFF0A240F56E5D5D009AB212CB305984CF51
                                  Function 077B8283 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b377732827c8e16955eb27d6b17ae7d64401f29eab1e9a527e7a0d918e685921
                                  • Instruction ID: c47b2ad072d79071429d2646bcc04365c22c9b6c131d066f29b0e62250d36e70
                                  • Opcode Fuzzy Hash: b377732827c8e16955eb27d6b17ae7d64401f29eab1e9a527e7a0d918e685921
                                  • Instruction Fuzzy Hash: 7C1102B0745A11DFD7354A259C05BEA775BAFC6790F55846AF1028F2E6C9748C018BC2
                                  Function 077BB660 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 58c8023c89b74317904a11bca11d71c99d953fb213fc5aa1212ac78cb7f3ac16
                                  • Instruction ID: db354ec5a8302008b1e415f1f7a5136db945ac3b4f9dcbeb3c6f09cc1c1c5f3e
                                  • Opcode Fuzzy Hash: 58c8023c89b74317904a11bca11d71c99d953fb213fc5aa1212ac78cb7f3ac16
                                  • Instruction Fuzzy Hash: 531167F0D08208DFCB14CFA8C540AEDBBF8AF4D358F1085D998589B262E3309A40CB81
                                  Function 015ED4BF Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2064047135.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_15ed000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                  • Instruction ID: 490806ce18795d8c60850731541cef0568a7be0ac9c3da84d43145b00f0c8f58
                                  • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                  • Instruction Fuzzy Hash: 7911A276904240CFDB16CF54D5C4B1ABFB1FB84314F24C5AAD9450F656C336D456CBA1
                                  Function 077BE125 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f3ce65a79e2ea5f1c2f159d67341f21e3bf3b1b2243f8f6147d9dfb0595df3f
                                  • Instruction ID: d4a46a8832a39769bee97a02331698d185e6cb4e7c518908ae8117c548509172
                                  • Opcode Fuzzy Hash: 3f3ce65a79e2ea5f1c2f159d67341f21e3bf3b1b2243f8f6147d9dfb0595df3f
                                  • Instruction Fuzzy Hash: FC213CB0A022089FCF10DF68E6456AC7BB6FB89390F20D528D40AD7715EB744D52CF10
                                  Function 077B3E57 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aaf93df2fbe682c817e9902aca532524ff09428e99b449b4ceceaa8b6e9ed7de
                                  • Instruction ID: 47f8be9ec1647fd5b6a957fd0acf84e6461bdc6b5d9de936e51a460f045e4d7f
                                  • Opcode Fuzzy Hash: aaf93df2fbe682c817e9902aca532524ff09428e99b449b4ceceaa8b6e9ed7de
                                  • Instruction Fuzzy Hash: 7F016833B102109FC715ABA8E8444DEBBB5FFD6220B0545BBD1459B220DF719A59C7A1
                                  Function 077B0253 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6be4bdb7b22396d098106168519e2bd1a7d4be09a3cd14da5302544dbc0a1f47
                                  • Instruction ID: 2473faad6099f777539204279839a7b5f1b080ceb46de427133e323710d5419a
                                  • Opcode Fuzzy Hash: 6be4bdb7b22396d098106168519e2bd1a7d4be09a3cd14da5302544dbc0a1f47
                                  • Instruction Fuzzy Hash: B20188B46003028BEB35962AD599BEB7B5BFFC0390F048829D946465A8DF74D489C651
                                  Function 077B25F7 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c249fe89ec0cadd03544448d90da42724b730097d84b4067e20ead84f7025da
                                  • Instruction ID: 26141d6672c901f6ef853fb041b3bc0ed8eeadfa60d215efbaa2570470ea02c9
                                  • Opcode Fuzzy Hash: 5c249fe89ec0cadd03544448d90da42724b730097d84b4067e20ead84f7025da
                                  • Instruction Fuzzy Hash: 8511E0B0E0120A8FD705DF68D8457EEBBF0EF09348F048129D810EB391D7749556DB81
                                  Function 077BB670 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d389491f2655d7e837744dd39f3b1b0e2b68973c6334903f9573e99ffcefa368
                                  • Instruction ID: 2664043201c34cbf7e1aa12709319df617c5cff3dcdf7677b0e18e6d783c81ec
                                  • Opcode Fuzzy Hash: d389491f2655d7e837744dd39f3b1b0e2b68973c6334903f9573e99ffcefa368
                                  • Instruction Fuzzy Hash: 0411E5F4D19209DFCB58DFA9C540AEDBBF9FF4D358F1095959818AB221D7309A40CB80
                                  Function 077BBBD0 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 935b1d8bb500ac4d5f7b500562afe1354b55eaf0d044763ff5c5efbdd71a405b
                                  • Instruction ID: 6db1627502fa691ad1e283eb4ac6a0950d3946ae5b8afc80a4b764b68ca7251c
                                  • Opcode Fuzzy Hash: 935b1d8bb500ac4d5f7b500562afe1354b55eaf0d044763ff5c5efbdd71a405b
                                  • Instruction Fuzzy Hash: E611F5B0D006188BEB28CFABC9447DEFAF7AFC8300F14C069D40976264EB7509568F90
                                  Function 077BE06F Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 273cbff5982c4d428ad9163dd7f39178dc053f58b2829e6448d991ca02e09e9c
                                  • Instruction ID: 9afb07f64badeff60e084d9a4f266cf04179516c44604b07bc33a3fcf5151cfa
                                  • Opcode Fuzzy Hash: 273cbff5982c4d428ad9163dd7f39178dc053f58b2829e6448d991ca02e09e9c
                                  • Instruction Fuzzy Hash: F9116AB0A06205CFDB44DFACE548AEDBBB5FB49349F20C225E4169B395D7789805CF11
                                  Function 077BCA00 Relevance: .0, Instructions: 48COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8d42f254979ae0c1a7810aeda2ec06c5aefc403bc41c590c22f852d7edf830e3
                                  • Instruction ID: 4129da003c27731a076653f4df5888144e7f03717efee8baf59c457341ecfcfa
                                  • Opcode Fuzzy Hash: 8d42f254979ae0c1a7810aeda2ec06c5aefc403bc41c590c22f852d7edf830e3
                                  • Instruction Fuzzy Hash: 530171B0919248DFCB26CB65D640AF9BBBCAF47380F04D9A5D4099B113D6345A05DBA0
                                  Function 077BCA78 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7bd9cb8b25f2a789961e38185766796b590113eadf34190564685de317bcea46
                                  • Instruction ID: c18b8af65cb9c15560d6bf752bd638310a8c0121d126747e8eb702e462c65a17
                                  • Opcode Fuzzy Hash: 7bd9cb8b25f2a789961e38185766796b590113eadf34190564685de317bcea46
                                  • Instruction Fuzzy Hash: D801ADB4A08108DFCB15DFB8CA44BADBBF4AF49340F18C594E8089B292D730AE00EB51
                                  Function 015ED745 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2064047135.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_15ed000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e7e12629606582f1df0efd5c814da78a15bf31e3665ff210d6ce2de16575613
                                  • Instruction ID: 688f248521836a70b2492f2b1d79ab6143c81e22a323d5d13082663f309f3f4f
                                  • Opcode Fuzzy Hash: 2e7e12629606582f1df0efd5c814da78a15bf31e3665ff210d6ce2de16575613
                                  • Instruction Fuzzy Hash: FF01FC718443809DE7144F59CD88B6AFFECFF46320F14C92AED090E246C23D9441CA71
                                  Function 077B2608 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 31e9283399d5434c5c25591cce81028a12e6ed08947e2ebc2f6e3ff6a11e35fe
                                  • Instruction ID: bf24fb1159e9ab1eeb26e63f38b9a186295130308761034e50aa011aa6d61277
                                  • Opcode Fuzzy Hash: 31e9283399d5434c5c25591cce81028a12e6ed08947e2ebc2f6e3ff6a11e35fe
                                  • Instruction Fuzzy Hash: BB01B1B0E0020A8FDB04EFA8D8057AEBBB0EF49388F148529D815F7391DB749A55DB81
                                  Function 077B3600 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4fe33d309141e8baf68584bca3abab5f75badb61e70221893a6db43a186f1fc6
                                  • Instruction ID: 9a99114e40615d6cb07d080e02b9c42c890a3b333f5ebd7eabddfc9d6f5a0780
                                  • Opcode Fuzzy Hash: 4fe33d309141e8baf68584bca3abab5f75badb61e70221893a6db43a186f1fc6
                                  • Instruction Fuzzy Hash: 3A0121B2D1420AEBCF10DF99D945AEFBBB4EB08354F114126F918F7200D730AA54CBA1
                                  Function 077B35F3 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf4dc94db74d3799eae2817c044ddf86d0e5103635a9710ddb3c6cbeaa03a33c
                                  • Instruction ID: 744c7489039eaf4ac79fccb673e9e2ae0c0e5900a8df047e5bf073358a3c2794
                                  • Opcode Fuzzy Hash: cf4dc94db74d3799eae2817c044ddf86d0e5103635a9710ddb3c6cbeaa03a33c
                                  • Instruction Fuzzy Hash: A0014FB2D1421A9FCF11DFA4DC45AEEBBB8EB49314F154126E904F3241D6346A548BA0
                                  Function 077B3670 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4afca4e9e22337bc3dc5b65aad5544ac02478e6ad6771700871d5d7432dde618
                                  • Instruction ID: 949be6f3d6ec417c7ac0cb5acc9a9e937069a553d3f1cfeb09c29d0691db35e8
                                  • Opcode Fuzzy Hash: 4afca4e9e22337bc3dc5b65aad5544ac02478e6ad6771700871d5d7432dde618
                                  • Instruction Fuzzy Hash: D0F04C72A042658BCF15BB6898180DDBB71DF8E300F02C19BD945B7350FF306A5887D1
                                  Function 077B4649 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e85dd1ccf710c3f4d218471c852804f19be5a954f9ff4829dcb4d3c0f3e8b57
                                  • Instruction ID: 9c7f445f0bd545e2d4be1ae5f862be88197bdca1c7e08ae4770dfd5c3a3d7065
                                  • Opcode Fuzzy Hash: 0e85dd1ccf710c3f4d218471c852804f19be5a954f9ff4829dcb4d3c0f3e8b57
                                  • Instruction Fuzzy Hash: 78F096B63002446FC7246E69E448B9A7B95EBD97A4B00843EE54487242CA35D812C7A0
                                  Function 077B3680 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7de137ba29ff3de6cd6e51927aa2e0bd7535622e9112c2201dc07df9b67b69ea
                                  • Instruction ID: 0adefce8b16561d7d1c8f1f713363faeb235b23853dbc52393b2357e3a22d837
                                  • Opcode Fuzzy Hash: 7de137ba29ff3de6cd6e51927aa2e0bd7535622e9112c2201dc07df9b67b69ea
                                  • Instruction Fuzzy Hash: 8001A431A1462E8BCF14EB68D8144DDB3B5FF89310F018525D91677240FF306A198BE1
                                  Function 077BCA10 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2f75807fba9ef1b4ddd1abfd7794b0e53474d7a2c0ade72456886560ffa5f92
                                  • Instruction ID: 9b91b9a90bde6f248954878703b3c4174ba342e5cb46771e6c24aea86842f988
                                  • Opcode Fuzzy Hash: a2f75807fba9ef1b4ddd1abfd7794b0e53474d7a2c0ade72456886560ffa5f92
                                  • Instruction Fuzzy Hash: 66F044F0929108DFCB15CF59D640AF8BBBCAF4A380F00D9A4D4099B212D7349A15DBA0
                                  Function 077BB464 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f2dae8b492854a0e5716b09f9a3f6e9195d8b471c17f48a3599fbc95191d25c3
                                  • Instruction ID: cafa8c6fc7682797a4d70032bb203d5a8d4da446f65ba6dee329aea941a8c8dd
                                  • Opcode Fuzzy Hash: f2dae8b492854a0e5716b09f9a3f6e9195d8b471c17f48a3599fbc95191d25c3
                                  • Instruction Fuzzy Hash: 95F0E2F0A1A219CBCB24CB90D584AFEBBB9FF4F291F14A054DC0AB2662C7315E51CB51
                                  Function 015ED744 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2064047135.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_15ed000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7ba71a0a906042d7a2304f5f7232434a13561b44350ede1872253dfa6ab6676
                                  • Instruction ID: 126b5fdcead321956903d68c9a07e0e6ea1c97250f68b9bdbc71499a0aa8e616
                                  • Opcode Fuzzy Hash: b7ba71a0a906042d7a2304f5f7232434a13561b44350ede1872253dfa6ab6676
                                  • Instruction Fuzzy Hash: 83F062718043849EE7158F1AC888B66FFE8EF46634F18C45AED484E286C2799844CBB5
                                  Function 077B36F0 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4bb7c7cdac523a4e6bf0a390e574fbad59c8a9149ed646133b114b14a16579fb
                                  • Instruction ID: e6885954ce14625c1a627561cfb4c2d7e420403dce47ff9a0fe3c771df6eb831
                                  • Opcode Fuzzy Hash: 4bb7c7cdac523a4e6bf0a390e574fbad59c8a9149ed646133b114b14a16579fb
                                  • Instruction Fuzzy Hash: E3F0B4B5A043418FC7249B29AD8499ABF69EFC6250714456EE50AC7250EF61D845C361
                                  Function 077BF478 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4fadd9f13bb652e9582d493b2225da550eb54d97949b5601b5cb99d0a693dd36
                                  • Instruction ID: 2838ca24527701f48b4860cea33cc0e7486ede8eaa64053a31d3f0f824bd9c4e
                                  • Opcode Fuzzy Hash: 4fadd9f13bb652e9582d493b2225da550eb54d97949b5601b5cb99d0a693dd36
                                  • Instruction Fuzzy Hash: BAF06275909258AFCB03DFA8D8456DDBBB0EB45310F0081BAD804DB692D2345A15DB81
                                  Function 077BDFE2 Relevance: .0, Instructions: 32COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b75e53b38d30a821992cfcdd4fa88730843812433a14a730524d01a8016dec13
                                  • Instruction ID: ae7118a8428b56a5e82a4533564879abacfd6d1122b1b73937bc9e98ac844589
                                  • Opcode Fuzzy Hash: b75e53b38d30a821992cfcdd4fa88730843812433a14a730524d01a8016dec13
                                  • Instruction Fuzzy Hash: DDF05070509200CFDB219F68D4003DC7F359F86340F40C576D4049B396EB744916CB12
                                  Function 077BDFF0 Relevance: .0, Instructions: 27COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e91118c9c6191119b164866dbcf2ee80640ff1fc4647895709155c9cc4ee9197
                                  • Instruction ID: a68e908437965b63e7b87fd9b534ff33700a72c88aae626f3ea29616dce60e42
                                  • Opcode Fuzzy Hash: e91118c9c6191119b164866dbcf2ee80640ff1fc4647895709155c9cc4ee9197
                                  • Instruction Fuzzy Hash: DEF0A0B0619104CBDB20ABA9E5057EC7B699F89380F80C435D10966359EA740916CB12
                                  Function 077BB79F Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 50209bffbf24f5eb4d59888fc65306b2bed59cd4c682ee18e864e77e47a33b74
                                  • Instruction ID: 2fcf286e625fc892c3206c526eecfeb2f18e7a41b504fbc54833e5ce1a9d9819
                                  • Opcode Fuzzy Hash: 50209bffbf24f5eb4d59888fc65306b2bed59cd4c682ee18e864e77e47a33b74
                                  • Instruction Fuzzy Hash: 87F0BEF0D502069FD750DFBCC54578ABBF0AB043A0F2085AAC824DB221E37986018B81
                                  Function 077BF488 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6cbed801292bda9970b204bcc2a94717f863f20535eab6ac966ddb318410864a
                                  • Instruction ID: 48c77eeb5b451c696263ce387a805df4ed2ed8d5398a5771148bd1c3317d34bf
                                  • Opcode Fuzzy Hash: 6cbed801292bda9970b204bcc2a94717f863f20535eab6ac966ddb318410864a
                                  • Instruction Fuzzy Hash: B0F030B4D0120CEFCF55DFA8D50968DBBB1FB48301F00C0A9E91497340D6345A60DF41
                                  Function 077BBC81 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0c77633dfeb2e022b03267cbbf1f71cfe8056e99c107f2366cd8c1d62d824fe1
                                  • Instruction ID: 42398b8908a7f001538d7ead260b471b2e5c7b39966587e00e4c373444faae8f
                                  • Opcode Fuzzy Hash: 0c77633dfeb2e022b03267cbbf1f71cfe8056e99c107f2366cd8c1d62d824fe1
                                  • Instruction Fuzzy Hash: 38F07AB8911228CFCBA1CF24C885BD8B7B0BB1A310F0080D6D80DA3312D770AE95CF00
                                  Function 077BABB2 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b16bba97a7a68a52efbbb958774989665518fa5cd1fe8099e8a4a0d34a65b06
                                  • Instruction ID: 2ab3da4fa9b030d7e22c0e198ed484cfaa30374539482980f68a424873d5b598
                                  • Opcode Fuzzy Hash: 3b16bba97a7a68a52efbbb958774989665518fa5cd1fe8099e8a4a0d34a65b06
                                  • Instruction Fuzzy Hash: 44E06DB0A0725ACFDB24EF58D988BEDBBBAFB47240F0196A6D01A97065CB340D45CE01
                                  Function 077BC36E Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 265b508e51bc897abe6bafe048651ec2b9c1aa9d654d8fd7ae25f50c48c7dee3
                                  • Instruction ID: fc84c0fa7116a1f5932ca367bbd2dd93734201890a1b95577d21e57cb5a67046
                                  • Opcode Fuzzy Hash: 265b508e51bc897abe6bafe048651ec2b9c1aa9d654d8fd7ae25f50c48c7dee3
                                  • Instruction Fuzzy Hash: FCE06DB010A284CFCB528B64C1586B83B34AF0B351F1098DAD40E6B163C7369851CB20
                                  Function 077BAB09 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d18f61c6474bd7976009894f269ed40aa7028eee0dc9d71923725956889be2d3
                                  • Instruction ID: ca2a73681e97788164150238f0d8f3901505d76d8237e340127eae1f30241f80
                                  • Opcode Fuzzy Hash: d18f61c6474bd7976009894f269ed40aa7028eee0dc9d71923725956889be2d3
                                  • Instruction Fuzzy Hash: 05E0D8F060B745CED724BF18D9847D97A6AFB43240F0093F5801986016CB740D44CF01
                                  Function 077BA83B Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c8cc6afa5b24427ce2e75518f5ef2438fb6bfda961c1d103730df3d1b6283d4
                                  • Instruction ID: d9b663ebb1306f5551b13407705f355c47df1013c73f1952a399f92aea9169da
                                  • Opcode Fuzzy Hash: 1c8cc6afa5b24427ce2e75518f5ef2438fb6bfda961c1d103730df3d1b6283d4
                                  • Instruction Fuzzy Hash: FDE04FB0A46256CFCB24EF18D984BEDBBBBFB47280F01D6A9901597151CB741D85CF01
                                  Function 077BC6EA Relevance: .0, Instructions: 19COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 012134fb60fef843ad4320e418955d823b0961743f009e8755f10ee329c0164b
                                  • Instruction ID: 10da8e2287b609cd3276497b813cfea4ebd5754a6a2181ddbd5d6af3bd52eccc
                                  • Opcode Fuzzy Hash: 012134fb60fef843ad4320e418955d823b0961743f009e8755f10ee329c0164b
                                  • Instruction Fuzzy Hash: 63E0C2F0409204CBC716CA5181019FE3B7DAB4F260B10E260E07E862A1DB35C4828F10
                                  Function 077BB7B0 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69eb2ee3946e3ec7f9ed5cf6aa4e7387fcf9ae88456cb96c65fdf1856dfb2198
                                  • Instruction ID: 2a43bff16e9703261b5c0c96b26fa4b4ef50267057f488da1040f6358bedec8f
                                  • Opcode Fuzzy Hash: 69eb2ee3946e3ec7f9ed5cf6aa4e7387fcf9ae88456cb96c65fdf1856dfb2198
                                  • Instruction Fuzzy Hash: AFE092F0D40209DFD750EFB9C945B9EBBF4AF08200F1185AAD419E7221E7B496048F91
                                  Function 077BAD05 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6e47d428441d36f9c01f8879c823960b0dcfa76e5e33e5c36e282fc1887a2b7
                                  • Instruction ID: e494ae0a639eef1b43f87c291efd56e40bd6590b63f8188c8a3343ca569398d0
                                  • Opcode Fuzzy Hash: b6e47d428441d36f9c01f8879c823960b0dcfa76e5e33e5c36e282fc1887a2b7
                                  • Instruction Fuzzy Hash: CEE0B678908204CFCB14DFA0D4948ADFBB5BF4A301B15D559E406AB365C7319842CF44
                                  Function 077BACD6 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eec17a87fe3c3d8b8659c6090e83402e378c3633d758864e5efceb4a113b6b04
                                  • Instruction ID: 883bab7cda924e678abea40a2250ef9ea6808cd131f0b818c489a4b0b92c7024
                                  • Opcode Fuzzy Hash: eec17a87fe3c3d8b8659c6090e83402e378c3633d758864e5efceb4a113b6b04
                                  • Instruction Fuzzy Hash: 20D02EB0444200CBCB35AE80C0C16F9BB7AEB0A282361852AC81B0A205C738A403CB00
                                  Function 077B8138 Relevance: .0, Instructions: 13COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 902871eb03b2b1ac5e31852d3a65647c061751ff7cc06088501ba5c3cfeb499d
                                  • Instruction ID: d1ad5edcd0608e95e5489ca9f058f2c999030fa4b7d18551ce3b650df9432ce0
                                  • Opcode Fuzzy Hash: 902871eb03b2b1ac5e31852d3a65647c061751ff7cc06088501ba5c3cfeb499d
                                  • Instruction Fuzzy Hash: F6D05EE551E286EFCB220A3084152912B686BE32C0B0946FF8081CA052D4188D018653
                                  Function 077BA260 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 08e7f7a29dd39887d9ff4ae3685db36ccbe30afe7e8749140e56fbb39c32e504
                                  • Instruction ID: 95bb8cbf30564c46d4517c7a1e7004124155b739d295dcc1fca11ec7804f4d94
                                  • Opcode Fuzzy Hash: 08e7f7a29dd39887d9ff4ae3685db36ccbe30afe7e8749140e56fbb39c32e504
                                  • Instruction Fuzzy Hash: 2BC04C700436148BCF267BA8E70E3B47A689B422A6F418011E54D514A19AA95471C695
                                  Function 077BE2CE Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f05c376b502938a84457ff4e44b7ac210d0fae815f2ccc001eadb33c7e0afafe
                                  • Instruction ID: d8d0754806b0403cdf1cabc0daf466f54488c9576c18e2376879c653cdf96e13
                                  • Opcode Fuzzy Hash: f05c376b502938a84457ff4e44b7ac210d0fae815f2ccc001eadb33c7e0afafe
                                  • Instruction Fuzzy Hash: 41D012F1A05104DFDB50DF5DE2866DC7FB8EB55245B20857590148A207E67884078F21
                                  Function 077B565C Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f5ecd92ce60316457b3af1f0aa38d484abc7c1ada00a152d53a0fe3cdd6057c7
                                  • Instruction ID: 242cee1737b6eae8e637a1f302d8cbd1d5864c313f9187df2ebd6e72e9edd2dc
                                  • Opcode Fuzzy Hash: f5ecd92ce60316457b3af1f0aa38d484abc7c1ada00a152d53a0fe3cdd6057c7
                                  • Instruction Fuzzy Hash: BFB012B61E5204E1840462A4C98CE6B9414FFBEBC0F808C21B706C001494728C2CE32B

                                  Non-executed Functions

                                  Function 077BF050 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5fb5332cc59467e776483461008ddbb53e59a6c15622dee489f1fd4e8e5a2d97
                                  • Instruction ID: f2313dc4f32fff4bf9e48196871209ace2333f74bc27a43ed0202f625d06622e
                                  • Opcode Fuzzy Hash: 5fb5332cc59467e776483461008ddbb53e59a6c15622dee489f1fd4e8e5a2d97
                                  • Instruction Fuzzy Hash: C5E1FBB4E001199FCB14DFA9C980AAEFBB2FF89305F248569D414AB356D730AD41CF61
                                  Function 077BEC18 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ec09ee2610e635c7902649781b6887b3bc3a80027cff6433001e8ae9cf94a7c
                                  • Instruction ID: 6774f2bc3278417d60f8523998f7cd746cfad44df42cb3c2c2dd0311e97ea9fd
                                  • Opcode Fuzzy Hash: 5ec09ee2610e635c7902649781b6887b3bc3a80027cff6433001e8ae9cf94a7c
                                  • Instruction Fuzzy Hash: D5E1F7B4E011198FCB14DFA9C580AAEFBB2FF89305F248169D414AB356D771AD42CFA1
                                  Function 077BDD08 Relevance: .1, Instructions: 146COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 03f9b592fbb07601fb1ac7a233a04796ff43626741f4f4453bad48b63006eedb
                                  • Instruction ID: a338a0b5547fb9b2691398fc4836adbee75a638e60e059c6f6c0c3d4bc0ea671
                                  • Opcode Fuzzy Hash: 03f9b592fbb07601fb1ac7a233a04796ff43626741f4f4453bad48b63006eedb
                                  • Instruction Fuzzy Hash: 3B5105B4E19209DFCF28CFA9D4446EEBBF9AF8A350F54902AE459A7211D3309951CF90
                                  Function 077BEC08 Relevance: .1, Instructions: 141COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 832930952c790f43b36830df6b2a602c895e2a970bafd1d45d1d97691b6bbd38
                                  • Instruction ID: ee970ad1e200aef57314e369c44c0f4addf9a3885938ad5d1cb814c0b0b359fd
                                  • Opcode Fuzzy Hash: 832930952c790f43b36830df6b2a602c895e2a970bafd1d45d1d97691b6bbd38
                                  • Instruction Fuzzy Hash: 1A510CB0E052198FCB15CFA9C9445EEFBB2FF89304F148169D418AB356D7719A42CFA1
                                  Function 077BF040 Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2073690972.00000000077B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_77b0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 509329db754469ab2bba12830281afb87265c4a918eff722efc5e3f05a82ff85
                                  • Instruction ID: 5ab6f17ce320d41fdf3c2e4c1e3d9370b37724858d40dfc48f376d21b44014a3
                                  • Opcode Fuzzy Hash: 509329db754469ab2bba12830281afb87265c4a918eff722efc5e3f05a82ff85
                                  • Instruction Fuzzy Hash: D2511DB4E012198FCB15CFA9C9805AEFBB2EF89304F14C56AD418AB256D7349942CFA1

                                  Execution Graph

                                  Execution Coverage:10.8%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:108
                                  Total number of Limit Nodes:12
                                  execution_graph 38372 ce0848 38373 ce084e 38372->38373 38374 ce091b 38373->38374 38379 64624f8 38373->38379 38383 6462508 38373->38383 38387 ce14af 38373->38387 38392 ce1380 38373->38392 38380 6462508 38379->38380 38397 6461c3c 38380->38397 38384 646250a 38383->38384 38385 6461c3c 2 API calls 38384->38385 38386 6462538 38385->38386 38386->38373 38388 ce1396 38387->38388 38389 ce14aa 38388->38389 38391 ce14af 4 API calls 38388->38391 38476 ce8278 38388->38476 38389->38373 38391->38388 38394 ce1384 38392->38394 38393 ce14aa 38393->38373 38394->38393 38395 ce14af 4 API calls 38394->38395 38396 ce8278 4 API calls 38394->38396 38395->38394 38396->38394 38398 6461c47 38397->38398 38401 64633ac 38398->38401 38400 6463ebe 38400->38400 38402 64633b7 38401->38402 38403 64645e4 38402->38403 38405 6465e68 38402->38405 38403->38400 38406 6465e89 38405->38406 38407 6465ead 38406->38407 38410 6466420 38406->38410 38414 646643c 38406->38414 38407->38403 38411 646642d 38410->38411 38413 6466466 38411->38413 38418 646600c 38411->38418 38413->38407 38415 646644b 38414->38415 38416 6466466 38415->38416 38417 646600c 2 API calls 38415->38417 38416->38407 38417->38416 38419 6466017 38418->38419 38421 64664d8 38419->38421 38422 6466040 38419->38422 38421->38421 38423 646604b 38422->38423 38429 6466050 38423->38429 38425 6466547 38433 646b868 38425->38433 38442 646b880 38425->38442 38426 6466581 38426->38421 38432 646605b 38429->38432 38430 64677d0 38430->38425 38431 6465e68 2 API calls 38431->38430 38432->38430 38432->38431 38435 646b8b1 38433->38435 38436 646b9b1 38433->38436 38434 646b8bd 38434->38426 38435->38434 38451 646baf6 38435->38451 38455 646baf8 38435->38455 38436->38426 38437 646b8fd 38458 646cdf8 38437->38458 38462 646cde9 38437->38462 38444 646b8b1 38442->38444 38445 646b9b1 38442->38445 38443 646b8bd 38443->38426 38444->38443 38447 646baf6 GetModuleHandleW 38444->38447 38448 646baf8 GetModuleHandleW 38444->38448 38445->38426 38446 646b8fd 38449 646cdf8 CreateWindowExW 38446->38449 38450 646cde9 CreateWindowExW 38446->38450 38447->38446 38448->38446 38449->38445 38450->38445 38452 646baf8 38451->38452 38466 646bb38 38452->38466 38453 646bb02 38453->38437 38457 646bb38 GetModuleHandleW 38455->38457 38456 646bb02 38456->38437 38457->38456 38459 646cdfe 38458->38459 38460 646ced2 38459->38460 38471 646dce5 38459->38471 38463 646cdf8 38462->38463 38464 646ced2 38463->38464 38465 646dce5 CreateWindowExW 38463->38465 38465->38464 38468 646bb3d 38466->38468 38467 646bb7c 38467->38453 38468->38467 38469 646bd80 GetModuleHandleW 38468->38469 38470 646bdad 38469->38470 38470->38453 38472 646dce9 38471->38472 38473 646dd1d CreateWindowExW 38471->38473 38472->38460 38475 646de54 38473->38475 38475->38475 38477 ce8282 38476->38477 38478 ce829c 38477->38478 38481 648f62a 38477->38481 38486 648f638 38477->38486 38478->38388 38482 648f638 38481->38482 38483 648f862 38482->38483 38484 648fc80 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38482->38484 38485 648fc90 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38482->38485 38483->38478 38484->38482 38485->38482 38488 648f63a 38486->38488 38487 648f862 38487->38478 38488->38487 38489 648fc80 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38488->38489 38490 648fc90 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 38488->38490 38489->38488 38490->38488 38491 6463610 38492 6463656 GetCurrentProcess 38491->38492 38494 64636a1 38492->38494 38495 64636a8 GetCurrentThread 38492->38495 38494->38495 38496 64636e5 GetCurrentProcess 38495->38496 38497 64636de 38495->38497 38498 646371b 38496->38498 38497->38496 38499 6463743 GetCurrentThreadId 38498->38499 38500 6463774 38499->38500 38501 6463858 DuplicateHandle 38502 64638ee 38501->38502 38503 ce70b0 38504 ce70b2 CheckRemoteDebuggerPresent 38503->38504 38506 ce7136 38504->38506

                                  Executed Functions

                                  Function 06482B10 Relevance: 8.4, Strings: 6, Instructions: 935COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq
                                  • API String ID: 0-3356825164
                                  • Opcode ID: 1d182772bc0e655e51a7b4017ca909497a638a39fc919479058ab114ee2b5b69
                                  • Instruction ID: 2c0008df37574c719f8d474bdf10f65929883d2002057c317e3b42fc1fbf3cbf
                                  • Opcode Fuzzy Hash: 1d182772bc0e655e51a7b4017ca909497a638a39fc919479058ab114ee2b5b69
                                  • Instruction Fuzzy Hash: E2824D30E106158FCB65EF64C594A9EB7B2FF85300F54C6AAD409AB365EB70ED85CB80
                                  Function 06487D88 Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1872 6487d88-6487da6 1873 6487da8-6487dab 1872->1873 1874 6487dad-6487dc9 1873->1874 1875 6487dce-6487dd1 1873->1875 1874->1875 1876 6487de8-6487deb 1875->1876 1877 6487dd3-6487de1 1875->1877 1879 6487e0c-6487e0f 1876->1879 1880 6487ded-6487e07 1876->1880 1888 6487e2e-6487e44 1877->1888 1889 6487de3 1877->1889 1881 6487e1c-6487e1e 1879->1881 1882 6487e11-6487e1b 1879->1882 1880->1879 1885 6487e20 1881->1885 1886 6487e25-6487e28 1881->1886 1885->1886 1886->1873 1886->1888 1892 6487e4a-6487e53 1888->1892 1893 648805f-6488069 1888->1893 1889->1876 1894 6487e59-6487e76 1892->1894 1895 648806a-648809f 1892->1895 1904 648804c-6488059 1894->1904 1905 6487e7c-6487ea4 1894->1905 1898 64880a1-64880a4 1895->1898 1899 64882d9-64882dc 1898->1899 1900 64880aa-64880b9 1898->1900 1902 64882de-64882fa 1899->1902 1903 64882ff-6488302 1899->1903 1909 64880d8-648811c 1900->1909 1910 64880bb-64880d6 1900->1910 1902->1903 1906 6488308-6488314 1903->1906 1907 64883ad-64883af 1903->1907 1904->1892 1904->1893 1905->1904 1923 6487eaa-6487eb3 1905->1923 1915 648831f-6488321 1906->1915 1911 64883b1 1907->1911 1912 64883b6-64883b9 1907->1912 1928 64882ad-64882c3 1909->1928 1929 6488122-6488133 1909->1929 1910->1909 1911->1912 1912->1898 1916 64883bf-64883c8 1912->1916 1918 6488339-648833d 1915->1918 1919 6488323-6488329 1915->1919 1926 648834b 1918->1926 1927 648833f-6488349 1918->1927 1924 648832b 1919->1924 1925 648832d-648832f 1919->1925 1923->1895 1931 6487eb9-6487ed5 1923->1931 1924->1918 1925->1918 1930 6488350-6488352 1926->1930 1927->1930 1928->1899 1939 6488298-64882a7 1929->1939 1940 6488139-6488156 1929->1940 1934 6488363-648839c 1930->1934 1935 6488354-6488357 1930->1935 1942 648803a-6488046 1931->1942 1943 6487edb-6487f05 1931->1943 1934->1900 1955 64883a2-64883ac 1934->1955 1935->1916 1939->1928 1939->1929 1940->1939 1949 648815c-6488252 call 64865a8 1940->1949 1942->1904 1942->1923 1956 6487f0b-6487f33 1943->1956 1957 6488030-6488035 1943->1957 2005 6488260 1949->2005 2006 6488254-648825e 1949->2006 1956->1957 1963 6487f39-6487f67 1956->1963 1957->1942 1963->1957 1969 6487f6d-6487f76 1963->1969 1969->1957 1971 6487f7c-6487fae 1969->1971 1978 6487fb9-6487fd5 1971->1978 1979 6487fb0-6487fb4 1971->1979 1978->1942 1981 6487fd7-648802e call 64865a8 1978->1981 1979->1957 1980 6487fb6 1979->1980 1980->1978 1981->1942 2007 6488265-6488267 2005->2007 2006->2007 2007->1939 2008 6488269-648826e 2007->2008 2009 648827c 2008->2009 2010 6488270-648827a 2008->2010 2011 6488281-6488283 2009->2011 2010->2011 2011->1939 2012 6488285-6488291 2011->2012 2012->1939
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq
                                  • API String ID: 0-3720491408
                                  • Opcode ID: 5a6f6b0c1bcc6f7105ca1ec8fe609551b738e7ed240337a39999ad46a61a6371
                                  • Instruction ID: c3097fa026ea052ece71838fb2e8019e6fc6a5bcc682ff36ca437d6752a7737f
                                  • Opcode Fuzzy Hash: 5a6f6b0c1bcc6f7105ca1ec8fe609551b738e7ed240337a39999ad46a61a6371
                                  • Instruction Fuzzy Hash: 6902DF30B006058FDB55EF68D690AAEB7E2FF85310F64852AD405EB395DB39EC46CB80
                                  Function 064851C0 Relevance: 1.8, Strings: 1, Instructions: 590COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $
                                  • API String ID: 0-3993045852
                                  • Opcode ID: ab243e39e17d8a61e93336793d5ec141bba3d120146f26d89de1741348814eae
                                  • Instruction ID: c8858c20c5d1011385da68266acd8506fc9c20f991fbe16675104647c9599d3f
                                  • Opcode Fuzzy Hash: ab243e39e17d8a61e93336793d5ec141bba3d120146f26d89de1741348814eae
                                  • Instruction Fuzzy Hash: 6A22A171E102158FDFA9EBA4C9806AFB7B2FF84320F24846AD406AB355DB35DD45CB90
                                  Function 00CE70B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00CE7127
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3292386742.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_ce0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: d1baaa37baa55e8f2cc2adfe3a9d3444ab865a8bc3b75fa27a07b1e15d6ace41
                                  • Instruction ID: d88fac8c9989b97a716e34c0fca84a6b7fa2d8a611bc2abd5d45415457d2b17e
                                  • Opcode Fuzzy Hash: d1baaa37baa55e8f2cc2adfe3a9d3444ab865a8bc3b75fa27a07b1e15d6ace41
                                  • Instruction Fuzzy Hash: F62157B18002598FCB10CF9AD884BEEFBF4EF49310F14841AE458B3250D778A944CFA1
                                  Function 064865F8 Relevance: .8, Instructions: 815COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a4f4201987c46d1a11069451e4fb631a996a16b9a2e36b6c8eded4289ee68a9
                                  • Instruction ID: d64b97c5c2438c7c63088a1d57c80db7f38e4c59979f227e58a388496241a050
                                  • Opcode Fuzzy Hash: 5a4f4201987c46d1a11069451e4fb631a996a16b9a2e36b6c8eded4289ee68a9
                                  • Instruction Fuzzy Hash: D862BE34A002048FDF95EB68D594BAEB7F2EF84314F25846AE405EB395DB35ED46CB80
                                  Function 0648C188 Relevance: .6, Instructions: 642COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cff498d3f30e1dd79e18212bfc3cc4303e7cc18734b755c5d50aa67bf2935ef9
                                  • Instruction ID: 7a4b636a4e22d997dc8354d90710f56a492526f6fba30ad71b1fa8a690d62d96
                                  • Opcode Fuzzy Hash: cff498d3f30e1dd79e18212bfc3cc4303e7cc18734b755c5d50aa67bf2935ef9
                                  • Instruction Fuzzy Hash: 13328434F102058FDF55EB68E584AAEB7B6FB89310F10852AE505E7395DB38EC45CBA0
                                  Function 0648B2A7 Relevance: .6, Instructions: 610COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ceee5b034eb91842a9722d453d59fc7cf94368e6f1a72ddfff8cfdb902df6b54
                                  • Instruction ID: 8d6b651c24fcf282f913785078e38e710ebd010a4808858d6787469ec6089f80
                                  • Opcode Fuzzy Hash: ceee5b034eb91842a9722d453d59fc7cf94368e6f1a72ddfff8cfdb902df6b54
                                  • Instruction Fuzzy Hash: A6228170E002098FDF65EB58D9847AFB7B6EB85310F248926E405EB395CB38DC85CB91
                                  Function 0648ACD0 Relevance: 10.4, Strings: 8, Instructions: 392COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 528 648acd0-648acee 529 648acf0-648acf3 528->529 530 648acf5-648ad14 529->530 531 648ad16-648ad19 529->531 530->531 532 648ad1b-648ad24 531->532 533 648ad33-648ad36 531->533 535 648ad2a-648ad2e 532->535 536 648af07-648af15 532->536 537 648ad38-648ad3d 533->537 538 648ad40-648ad43 533->538 535->533 548 648af60-648af63 536->548 549 648af17-648af1e 536->549 537->538 539 648ad5d-648ad60 538->539 540 648ad45-648ad58 538->540 541 648ad62-648ad6f 539->541 542 648ad74-648ad77 539->542 540->539 541->542 546 648ad79-648ad82 542->546 547 648ad87-648ad8a 542->547 546->547 556 648ad9b-648ad9e 547->556 557 648ad8c-648ad90 547->557 551 648af69-648afa4 548->551 552 648b1cc-648b1cf 548->552 554 648af20-648af21 549->554 555 648af22-648af3e 549->555 573 648afaa-648afb6 551->573 574 648b197-648b1aa 551->574 558 648b1de-648b1e1 552->558 559 648b1d1 call 648b2a7 552->559 554->555 560 648af40-648af43 555->560 563 648aeed-648aef6 556->563 564 648ada4-648ada6 556->564 561 648aefc-648af06 557->561 562 648ad96 557->562 568 648b1e3-648b1ff 558->568 569 648b204-648b206 558->569 577 648b1d7-648b1d9 559->577 566 648af50-648af53 560->566 567 648af45-648af4f 560->567 562->556 563->532 563->561 570 648ada8 564->570 571 648adad-648adb0 564->571 566->548 578 648af55-648af59 566->578 568->569 575 648b208 569->575 576 648b20d-648b210 569->576 570->571 571->529 572 648adb6-648adda 571->572 589 648aeea 572->589 590 648ade0-648adef 572->590 586 648afb8-648afd1 573->586 587 648afd6-648b01a 573->587 582 648b1ac 574->582 575->576 576->560 581 648b216-648b220 576->581 577->558 578->551 579 648af5b 578->579 579->548 582->552 586->582 605 648b01c-648b02e 587->605 606 648b036-648b075 587->606 589->563 594 648adf1-648adf7 590->594 595 648ae07-648ae42 call 64865a8 590->595 596 648adf9 594->596 597 648adfb-648adfd 594->597 615 648ae5a-648ae71 595->615 616 648ae44-648ae4a 595->616 596->595 597->595 605->606 610 648b07b-648b156 call 64865a8 606->610 611 648b15c-648b171 606->611 610->611 611->574 625 648ae89-648ae9a 615->625 626 648ae73-648ae79 615->626 619 648ae4c 616->619 620 648ae4e-648ae50 616->620 619->615 620->615 631 648ae9c-648aea2 625->631 632 648aeb2-648aee3 625->632 628 648ae7b 626->628 629 648ae7d-648ae7f 626->629 628->625 629->625 634 648aea4 631->634 635 648aea6-648aea8 631->635 632->589 634->632 635->632
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                  • API String ID: 0-666546452
                                  • Opcode ID: f4f71a1b04220a0011753cdf6d7ba981b747d666d379f20a72bc3d379323775f
                                  • Instruction ID: fa1ab9d50b694b45633f5ecee5ff74447263a42a4351c827a328c2162c5f823e
                                  • Opcode Fuzzy Hash: f4f71a1b04220a0011753cdf6d7ba981b747d666d379f20a72bc3d379323775f
                                  • Instruction Fuzzy Hash: 94E17F30E102098FCF65EFA9D5846AEB7B6EF85304F20852AD815EB355DB74DC86CB81
                                  Function 0646360A Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 913 646360a-646369f GetCurrentProcess 917 64636a1-64636a7 913->917 918 64636a8-64636dc GetCurrentThread 913->918 917->918 919 64636e5-6463719 GetCurrentProcess 918->919 920 64636de-64636e4 918->920 922 6463722-646373d call 64637e0 919->922 923 646371b-6463721 919->923 920->919 926 6463743-6463772 GetCurrentThreadId 922->926 923->922 927 6463774-646377a 926->927 928 646377b-64637dd 926->928 927->928
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0646368E
                                  • GetCurrentThread.KERNEL32 ref: 064636CB
                                  • GetCurrentProcess.KERNEL32 ref: 06463708
                                  • GetCurrentThreadId.KERNEL32 ref: 06463761
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297514326.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6460000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 6b9eef542b706cb31eca554e8004f7552321646208b239b2d2709ee519cf40dd
                                  • Instruction ID: c970317002c68b93edfa8a7a4252f2e47bb78817018d5c4c0045a1911ded585c
                                  • Opcode Fuzzy Hash: 6b9eef542b706cb31eca554e8004f7552321646208b239b2d2709ee519cf40dd
                                  • Instruction Fuzzy Hash: D15157B09002498FDB55DFAAD948BDEBBF5EF48304F24C45AE009A7360D7389944CB65
                                  Function 06463610 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 936 6463610-646369f GetCurrentProcess 940 64636a1-64636a7 936->940 941 64636a8-64636dc GetCurrentThread 936->941 940->941 942 64636e5-6463719 GetCurrentProcess 941->942 943 64636de-64636e4 941->943 945 6463722-646373d call 64637e0 942->945 946 646371b-6463721 942->946 943->942 949 6463743-6463772 GetCurrentThreadId 945->949 946->945 950 6463774-646377a 949->950 951 646377b-64637dd 949->951 950->951
                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 0646368E
                                  • GetCurrentThread.KERNEL32 ref: 064636CB
                                  • GetCurrentProcess.KERNEL32 ref: 06463708
                                  • GetCurrentThreadId.KERNEL32 ref: 06463761
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297514326.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6460000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 227fa55f90bef124c02115a48947267acb0a31ed757da5e120cb36f75c23018d
                                  • Instruction ID: 39cd9019d02bbd4aa78c09c9d7d60a2691b5d897f1e3461a25cd31f890705e67
                                  • Opcode Fuzzy Hash: 227fa55f90bef124c02115a48947267acb0a31ed757da5e120cb36f75c23018d
                                  • Instruction Fuzzy Hash: C85146B09003498FDB55DFAAD948BDEBBF5EF88304F24C45AE019A7360D738A944CB65
                                  Function 06489158 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 959 6489158-648917d 960 648917f-6489182 959->960 961 64891a8-64891ab 960->961 962 6489184-64891a3 960->962 963 6489a6b-6489a6d 961->963 964 64891b1-64891c6 961->964 962->961 965 6489a6f 963->965 966 6489a74-6489a77 963->966 970 64891c8-64891ce 964->970 971 64891de-64891f4 964->971 965->966 966->960 968 6489a7d-6489a87 966->968 973 64891d0 970->973 974 64891d2-64891d4 970->974 976 64891ff-6489201 971->976 973->971 974->971 977 6489219-648928a 976->977 978 6489203-6489209 976->978 989 648928c-64892af 977->989 990 64892b6-64892d2 977->990 979 648920b 978->979 980 648920d-648920f 978->980 979->977 980->977 989->990 995 64892fe-6489319 990->995 996 64892d4-64892f7 990->996 1001 648931b-648933d 995->1001 1002 6489344-648935f 995->1002 996->995 1001->1002 1007 648938a-6489394 1002->1007 1008 6489361-6489383 1002->1008 1009 64893a4-648941e 1007->1009 1010 6489396-648939f 1007->1010 1008->1007 1016 648946b-6489480 1009->1016 1017 6489420-648943e 1009->1017 1010->968 1016->963 1021 648945a-6489469 1017->1021 1022 6489440-648944f 1017->1022 1021->1016 1021->1017 1022->1021
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq$$jq$$jq
                                  • API String ID: 0-2428501249
                                  • Opcode ID: 42a188e091afaff2ac4fae8964613a9ed190991d0f5427806f7fad550a313b8a
                                  • Instruction ID: 3946bc9219efc22d03b495b4d4971c68b2c7b0e17f00ddacfe5404dd9b2e9009
                                  • Opcode Fuzzy Hash: 42a188e091afaff2ac4fae8964613a9ed190991d0f5427806f7fad550a313b8a
                                  • Instruction Fuzzy Hash: 2A913230F1050A8FDF65EB69D9507AF77B6AF85200F10856AD809EB358EB349D45CB90
                                  Function 0648CF48 Relevance: 4.6, Strings: 3, Instructions: 804COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1025 648cf48-648cf63 1026 648cf65-648cf68 1025->1026 1027 648cf6a-648cfac 1026->1027 1028 648cfb1-648cfb4 1026->1028 1027->1028 1029 648cfc3-648cfc6 1028->1029 1030 648cfb6-648cfb8 1028->1030 1033 648cfc8-648d00a 1029->1033 1034 648d00f-648d012 1029->1034 1031 648cfbe 1030->1031 1032 648d2ef-648d2f8 1030->1032 1031->1029 1036 648d2fa-648d2ff 1032->1036 1037 648d307-648d313 1032->1037 1033->1034 1038 648d05b-648d05e 1034->1038 1039 648d014-648d023 1034->1039 1036->1037 1044 648d319-648d32d 1037->1044 1045 648d424-648d429 1037->1045 1041 648d060-648d0a2 1038->1041 1042 648d0a7-648d0aa 1038->1042 1046 648d032-648d03e 1039->1046 1047 648d025-648d02a 1039->1047 1041->1042 1048 648d0ac-648d0ee 1042->1048 1049 648d0f3-648d0f6 1042->1049 1059 648d431 1044->1059 1060 648d333-648d345 1044->1060 1045->1059 1050 648d044-648d056 1046->1050 1051 648d965-648d99e 1046->1051 1047->1046 1048->1049 1057 648d0f8-648d10e 1049->1057 1058 648d113-648d116 1049->1058 1050->1038 1072 648d9a0-648d9a3 1051->1072 1057->1058 1063 648d118-648d11d 1058->1063 1064 648d120-648d123 1058->1064 1068 648d434-648d440 1059->1068 1085 648d369-648d36b 1060->1085 1086 648d347-648d34d 1060->1086 1063->1064 1067 648d129-648d12c 1064->1067 1064->1068 1077 648d12e-648d170 1067->1077 1078 648d175-648d178 1067->1078 1068->1039 1079 648d446-648d733 1068->1079 1073 648d9b2-648d9b5 1072->1073 1074 648d9a5 1072->1074 1083 648d9e8-648d9eb 1073->1083 1084 648d9b7-648d9e3 1073->1084 1285 648d9a5 call 648dabd 1074->1285 1286 648d9a5 call 648dad0 1074->1286 1077->1078 1081 648d17a-648d1bc 1078->1081 1082 648d1c1-648d1c4 1078->1082 1238 648d739-648d73f 1079->1238 1239 648d95a-648d964 1079->1239 1081->1082 1098 648d20d-648d210 1082->1098 1099 648d1c6-648d208 1082->1099 1092 648d9ed-648da09 1083->1092 1093 648da0e-648da10 1083->1093 1084->1083 1108 648d375-648d381 1085->1108 1095 648d34f 1086->1095 1096 648d351-648d35d 1086->1096 1091 648d9ab-648d9ad 1091->1073 1092->1093 1102 648da12 1093->1102 1103 648da17-648da1a 1093->1103 1106 648d35f-648d367 1095->1106 1096->1106 1100 648d212-648d22e 1098->1100 1101 648d233-648d236 1098->1101 1099->1098 1100->1101 1114 648d238-648d247 1101->1114 1115 648d27f-648d282 1101->1115 1102->1103 1103->1072 1113 648da1c-648da2b 1103->1113 1106->1108 1127 648d38f 1108->1127 1128 648d383-648d38d 1108->1128 1143 648da2d-648da90 call 64865a8 1113->1143 1144 648da92-648daa7 1113->1144 1121 648d249-648d24e 1114->1121 1122 648d256-648d262 1114->1122 1124 648d291-648d294 1115->1124 1125 648d284-648d286 1115->1125 1121->1122 1122->1051 1134 648d268-648d27a 1122->1134 1136 648d2dd-648d2df 1124->1136 1137 648d296-648d2d8 1124->1137 1125->1059 1135 648d28c 1125->1135 1139 648d394-648d396 1127->1139 1128->1139 1134->1115 1135->1124 1140 648d2e1 1136->1140 1141 648d2e6-648d2e9 1136->1141 1137->1136 1139->1059 1147 648d39c-648d3b8 call 64865a8 1139->1147 1140->1141 1141->1026 1141->1032 1143->1144 1156 648daa8 1144->1156 1169 648d3ba-648d3bf 1147->1169 1170 648d3c7-648d3d3 1147->1170 1156->1156 1169->1170 1170->1045 1173 648d3d5-648d422 1170->1173 1173->1059 1240 648d74e-648d757 1238->1240 1241 648d741-648d746 1238->1241 1240->1051 1242 648d75d-648d770 1240->1242 1241->1240 1244 648d94a-648d954 1242->1244 1245 648d776-648d77c 1242->1245 1244->1238 1244->1239 1246 648d78b-648d794 1245->1246 1247 648d77e-648d783 1245->1247 1246->1051 1248 648d79a-648d7bb 1246->1248 1247->1246 1251 648d7ca-648d7d3 1248->1251 1252 648d7bd-648d7c2 1248->1252 1251->1051 1253 648d7d9-648d7f6 1251->1253 1252->1251 1253->1244 1256 648d7fc-648d802 1253->1256 1256->1051 1257 648d808-648d821 1256->1257 1259 648d93d-648d944 1257->1259 1260 648d827-648d84e 1257->1260 1259->1244 1259->1256 1260->1051 1263 648d854-648d85e 1260->1263 1263->1051 1264 648d864-648d87b 1263->1264 1266 648d88a-648d8a5 1264->1266 1267 648d87d-648d888 1264->1267 1266->1259 1272 648d8ab-648d8c4 call 64865a8 1266->1272 1267->1266 1276 648d8d3-648d8dc 1272->1276 1277 648d8c6-648d8cb 1272->1277 1276->1051 1278 648d8e2-648d936 1276->1278 1277->1276 1278->1259 1285->1091 1286->1091
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq$$jq
                                  • API String ID: 0-3696375380
                                  • Opcode ID: 325149e1fb97d74faef908798babdc193e4c82f10997e7d84a789da758408d78
                                  • Instruction ID: bc7cefdfe377fb6df74cce9cda4910925d4c213a3bbae0a2ce1498a6175bc9c1
                                  • Opcode Fuzzy Hash: 325149e1fb97d74faef908798babdc193e4c82f10997e7d84a789da758408d78
                                  • Instruction Fuzzy Hash: D2623030A102058FCB55EF68E690A5EB7B6FF85304F20C669D4059F3A9DB79ED46CB80
                                  Function 06484788 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1287 6484788-64847ac 1288 64847ae-64847b1 1287->1288 1289 6484e90-6484e93 1288->1289 1290 64847b7-64848af 1288->1290 1291 6484eb4-6484eb6 1289->1291 1292 6484e95-6484eaf 1289->1292 1310 6484932-6484939 1290->1310 1311 64848b5-64848fd 1290->1311 1294 6484eb8 1291->1294 1295 6484ebd-6484ec0 1291->1295 1292->1291 1294->1295 1295->1288 1297 6484ec6-6484ed3 1295->1297 1312 64849bd-64849c6 1310->1312 1313 648493f-64849af 1310->1313 1333 6484902 call 6485040 1311->1333 1334 6484902 call 6485031 1311->1334 1312->1297 1330 64849ba 1313->1330 1331 64849b1 1313->1331 1324 6484908-6484924 1328 648492f-6484930 1324->1328 1329 6484926 1324->1329 1328->1310 1329->1328 1330->1312 1331->1330 1333->1324 1334->1324
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: foq$XPoq$\Ooq
                                  • API String ID: 0-3137531485
                                  • Opcode ID: 10830468a66b5b372adba797871c54c944eb8a839e7ddb556b64605fb1589f54
                                  • Instruction ID: 6231b5a9a73e3e40b748ec933417c25f10a1f029eec03120bab1da1504283bdd
                                  • Opcode Fuzzy Hash: 10830468a66b5b372adba797871c54c944eb8a839e7ddb556b64605fb1589f54
                                  • Instruction Fuzzy Hash: 7B618170F002199FEB55EFA5C9157AEBAF6EF88700F20842AE105AB395DF758D41CB90
                                  Function 0648914A Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2346 648914a-648917d 2348 648917f-6489182 2346->2348 2349 64891a8-64891ab 2348->2349 2350 6489184-64891a3 2348->2350 2351 6489a6b-6489a6d 2349->2351 2352 64891b1-64891c6 2349->2352 2350->2349 2353 6489a6f 2351->2353 2354 6489a74-6489a77 2351->2354 2358 64891c8-64891ce 2352->2358 2359 64891de-64891f4 2352->2359 2353->2354 2354->2348 2356 6489a7d-6489a87 2354->2356 2361 64891d0 2358->2361 2362 64891d2-64891d4 2358->2362 2364 64891ff-6489201 2359->2364 2361->2359 2362->2359 2365 6489219-648928a 2364->2365 2366 6489203-6489209 2364->2366 2377 648928c-64892af 2365->2377 2378 64892b6-64892d2 2365->2378 2367 648920b 2366->2367 2368 648920d-648920f 2366->2368 2367->2365 2368->2365 2377->2378 2383 64892fe-6489319 2378->2383 2384 64892d4-64892f7 2378->2384 2389 648931b-648933d 2383->2389 2390 6489344-648935f 2383->2390 2384->2383 2389->2390 2395 648938a-6489394 2390->2395 2396 6489361-6489383 2390->2396 2397 64893a4-648941e 2395->2397 2398 6489396-648939f 2395->2398 2396->2395 2404 648946b-6489480 2397->2404 2405 6489420-648943e 2397->2405 2398->2356 2404->2351 2409 648945a-6489469 2405->2409 2410 6489440-648944f 2405->2410 2409->2404 2409->2405 2410->2409
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq
                                  • API String ID: 0-3720491408
                                  • Opcode ID: b1406aaf194baa673a400cff26f2f0b4250212aaaed91ee7bae18305f65ddf38
                                  • Instruction ID: 493966e435003bf427f8654550161a7a56386860a0371406d075f3f4a5073fd7
                                  • Opcode Fuzzy Hash: b1406aaf194baa673a400cff26f2f0b4250212aaaed91ee7bae18305f65ddf38
                                  • Instruction Fuzzy Hash: 3B513030B005059FDFA5EB68DA51BAF77F6EB88210F50856AD809D7358EA34EC42CB90
                                  Function 0646BB38 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0646BD9E
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297514326.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6460000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: fa897c06d30662f370f88c8d116c20723f3f04d6258fd69a96a5e041e9cded4f
                                  • Instruction ID: 46db3cb7297023517439621320f606620067b477eed9f930c9f52fe3d6b5f122
                                  • Opcode Fuzzy Hash: fa897c06d30662f370f88c8d116c20723f3f04d6258fd69a96a5e041e9cded4f
                                  • Instruction Fuzzy Hash: 08812370A00B058FDBA5DF2AD44475ABBE1FF88200F00892EE48AD7B50DB75E955CB91
                                  Function 0646DCE5 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0646DE42
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297514326.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6460000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: e0c42df0c4c618b20dd5607647c3347fa23943eeb075527b39f6422bf7514866
                                  • Instruction ID: fba8d8b425f83951d2d1e7317f00016646715d8370e87ddf19fa136e9af88dc8
                                  • Opcode Fuzzy Hash: e0c42df0c4c618b20dd5607647c3347fa23943eeb075527b39f6422bf7514866
                                  • Instruction Fuzzy Hash: 7651E2B1D00249AFDF15DF9AC984ADEBFB5FF88300F14816AE918AB220D7759841CF91
                                  Function 00CEF238 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3292386742.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_ce0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e3f9df192f78059e0a3f25c23137b8b5c89da67543f87179301e07971395c4ec
                                  • Instruction ID: c56bd9cb0bcf2a8d524ff9641b9f7d1a1f11b982e9f2a2ae22ed08c0d50fb606
                                  • Opcode Fuzzy Hash: e3f9df192f78059e0a3f25c23137b8b5c89da67543f87179301e07971395c4ec
                                  • Instruction Fuzzy Hash: 59413672D043998FCB04DFAAD8002EEBBF1FF89310F14856AD508A7251DB789985CBD0
                                  Function 0646DD24 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0646DE42
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297514326.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6460000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 810e5926cffbb2767c475aae4d211b1bf32746e65938563f9812f76f3b6b32ec
                                  • Instruction ID: ab012381c992c164b788ccc86cc5031fad063439fb397925f8726e20256335f1
                                  • Opcode Fuzzy Hash: 810e5926cffbb2767c475aae4d211b1bf32746e65938563f9812f76f3b6b32ec
                                  • Instruction Fuzzy Hash: F651CFB1D10349AFDB15DF9AC984ADEFBB5BF88310F24812AE419AB210D7759841CF91
                                  Function 0646DD30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0646DE42
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297514326.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6460000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: f523935f6b92143424c9596f5af62a9d20f1d64d62aa6d27988162e84c73d0d3
                                  • Instruction ID: 880627333c89320a3a1fd41172b0e8c6c2cbab58646056df158cfe23b99b0448
                                  • Opcode Fuzzy Hash: f523935f6b92143424c9596f5af62a9d20f1d64d62aa6d27988162e84c73d0d3
                                  • Instruction Fuzzy Hash: 6F41BFB1D103499FDB15DF9AC984ADEFBB5FF88310F24812AE818AB210D7759885CF91
                                  Function 00CE70A8 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  APIs
                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00CE7127
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3292386742.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_ce0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: 81b83739cb82774dad6a1adb590e12d09facfd4231cf02c283fdae973b3372e2
                                  • Instruction ID: 61370b9f128642e63091c56ea3c21db3f5da6cda7fd833bde633f3e5bf422b58
                                  • Opcode Fuzzy Hash: 81b83739cb82774dad6a1adb590e12d09facfd4231cf02c283fdae973b3372e2
                                  • Instruction Fuzzy Hash: F72169B18002598FCB10DF9AD844BEEFBF4EF49310F14841AE459A3250D778A945CFA5
                                  Function 06463850 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064638DF
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297514326.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6460000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: b31113f58bb834e98f92e9b448554fe06c48a3dc95af712899983897ab980c71
                                  • Instruction ID: 1d46a62a7afae957394447e1d35dae5375ed7e2985e0b90e1d64ae06a0c24943
                                  • Opcode Fuzzy Hash: b31113f58bb834e98f92e9b448554fe06c48a3dc95af712899983897ab980c71
                                  • Instruction Fuzzy Hash: AD21E5B5D002499FDB10CFAAD985ADEBFF8FB48310F14841AE914A7310D379A940CFA5
                                  Function 06463858 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064638DF
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297514326.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6460000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 00a3924c23ebbe52db54c4f7850d2c837b052e3bc695870b3ba26ebf9d8e645d
                                  • Instruction ID: a9546492fecbb98df8423cbfc4e1ed379111911362e3316e967f50fef709b675
                                  • Opcode Fuzzy Hash: 00a3924c23ebbe52db54c4f7850d2c837b052e3bc695870b3ba26ebf9d8e645d
                                  • Instruction Fuzzy Hash: 3421E0B59002499FDB10CFAAD984ADEBBF8FB48310F14801AE918A7310D379A940CFA5
                                  Function 00CEF308 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                  Download Yara Rule
                                  APIs
                                  • GlobalMemoryStatusEx.KERNELBASE ref: 00CEF377
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3292386742.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_ce0000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: 6e5536f67407c43ed2046859ec27859a3a43b04c4785312b360b7c24bae3f3ff
                                  • Instruction ID: c7c9742204a4cbd9a07753f7697dbcaeea8a452124e402093122e7319a395a12
                                  • Opcode Fuzzy Hash: 6e5536f67407c43ed2046859ec27859a3a43b04c4785312b360b7c24bae3f3ff
                                  • Instruction Fuzzy Hash: 6D1100B1C006599FCB14DF9AD544BEEFBF4AF48320F14816AD818A7250D378A945CFA5
                                  Function 0646BD38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0646BD9E
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297514326.0000000006460000.00000040.00000800.00020000.00000000.sdmp, Offset: 06460000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6460000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: db6c4bfc5307e81e223f0ca60438d73eeb9aa5588818135488cb8470ba1027a0
                                  • Instruction ID: e90992819659279e0e4b8a15d26b326ac411aa505e0993999910bd823de2230f
                                  • Opcode Fuzzy Hash: db6c4bfc5307e81e223f0ca60438d73eeb9aa5588818135488cb8470ba1027a0
                                  • Instruction Fuzzy Hash: 2011E0B5C003498FDB14DF9AD844ADEFBF8EF88314F10841AD859AB210D379A545CFA5
                                  Function 06484778 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: XPoq
                                  • API String ID: 0-2250694691
                                  • Opcode ID: e60153c6999933f2a1b667bc45b951f538561dd3e44ab10f64e9b5a2503be5e9
                                  • Instruction ID: 2fa24452cc7717c8c100a9a6b9fc95b1418a1b01b0151e98d4095811ee3affe7
                                  • Opcode Fuzzy Hash: e60153c6999933f2a1b667bc45b951f538561dd3e44ab10f64e9b5a2503be5e9
                                  • Instruction Fuzzy Hash: 48416170E002089FDB55EFA5C915BAEBAF6FF88700F20852AE105AB395DB758C01CB94
                                  Function 0648DABD Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHjq
                                  • API String ID: 0-751881793
                                  • Opcode ID: df5e5b3e40b3bdec4ef291fca66b1ec0d9bcdcba40202fb7fc0bfe7875c76420
                                  • Instruction ID: 2a5c0223d7b83c8a3a8514b9fcecf566327cceab38aeb7fe99743a9a42777bdb
                                  • Opcode Fuzzy Hash: df5e5b3e40b3bdec4ef291fca66b1ec0d9bcdcba40202fb7fc0bfe7875c76420
                                  • Instruction Fuzzy Hash: 32418030E112058FDF55EF64C94469EBBB2FF85304F20852AD406EB391EB75E946CB41
                                  Function 0648DAD0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHjq
                                  • API String ID: 0-751881793
                                  • Opcode ID: f84307a8c5fa49c266276cbc39ecbbd8c00e47f1ae2f24eca36c7577317e3aa8
                                  • Instruction ID: 6a88be0ad546f18f6adfdfc060226bd2aa532c8976e5b92d52b566d05f20487d
                                  • Opcode Fuzzy Hash: f84307a8c5fa49c266276cbc39ecbbd8c00e47f1ae2f24eca36c7577317e3aa8
                                  • Instruction Fuzzy Hash: 5E416D30E112099FDB65AF65D95479EBBB6BF85300F20852AD402E7390EB74A946CB81
                                  Function 064821C5 Relevance: 1.4, Strings: 1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHjq
                                  • API String ID: 0-751881793
                                  • Opcode ID: e786d64045667425cac2399eabfc264e52aad9fb5d7c464e6254dd12fd668068
                                  • Instruction ID: 2ea2db859ca0de3f876718088b1f140264c48eb19aad14c0848499b862b9b703
                                  • Opcode Fuzzy Hash: e786d64045667425cac2399eabfc264e52aad9fb5d7c464e6254dd12fd668068
                                  • Instruction Fuzzy Hash: 4431D130B102018FCF56AB74D6547AF7BA2BB89210F20886AD406DB355DFB9DE42CBD0
                                  Function 064821D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHjq
                                  • API String ID: 0-751881793
                                  • Opcode ID: 5011e7d88d04cb92dc731ea65a2c56fc7557144b01e1896247009402ddde4b52
                                  • Instruction ID: 61c424d4a37a1ed3976de2775776dd7cd0faf71b64435c28a64b830ab3897d79
                                  • Opcode Fuzzy Hash: 5011e7d88d04cb92dc731ea65a2c56fc7557144b01e1896247009402ddde4b52
                                  • Instruction Fuzzy Hash: 3A31CF30B102018FCB5AAB74D55476F7BA6AFC9600F208529D406DB395EF79ED06CBD0
                                  Function 0648FED3 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: |
                                  • API String ID: 0-2343686810
                                  • Opcode ID: e78ffff915e3c839a8e7cf7336acbdc4fe811734497cdb719b03dc951b758eac
                                  • Instruction ID: a7df46263af78bc8712201cc9ca1eb5947527728ce2e287ee76208ed8b037cdd
                                  • Opcode Fuzzy Hash: e78ffff915e3c839a8e7cf7336acbdc4fe811734497cdb719b03dc951b758eac
                                  • Instruction Fuzzy Hash: 0E21D170B143508FDB559B788805BAD7BF1EF49700F1184AEE54ADB3A2DB789C00CB90
                                  Function 0648FEF0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: |
                                  • API String ID: 0-2343686810
                                  • Opcode ID: 8df6fe51d9ea212ae062dc1c110ae276c9ba17b03467d567c9c6886b7aa90579
                                  • Instruction ID: ac7742d76ab83e94fdd7769569d176d23259e56a17bebfb1892f46172814cd8d
                                  • Opcode Fuzzy Hash: 8df6fe51d9ea212ae062dc1c110ae276c9ba17b03467d567c9c6886b7aa90579
                                  • Instruction Fuzzy Hash: 39115E71B102159FDB94AF789805B6D7BF2AF4C750F10846AE60AE73A4DB359901DB80
                                  Function 064882D8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq
                                  • API String ID: 0-2886413773
                                  • Opcode ID: 43748566454a8773de92e1ed99d27ec4427386fbf9e0a058c86c8f8700765f08
                                  • Instruction ID: 85c4fdadf7425d24cf55e54dcb9d08c9d74cf79b0d9e5c9a026e23bac2de91a1
                                  • Opcode Fuzzy Hash: 43748566454a8773de92e1ed99d27ec4427386fbf9e0a058c86c8f8700765f08
                                  • Instruction Fuzzy Hash: ECF0AF31A00215CFDF65BE88EA812AE77A5EB51210F94846BD904D7756D737DD06CB80
                                  Function 06484671 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: \Ooq
                                  • API String ID: 0-507417401
                                  • Opcode ID: 78e7b0f9e8f22ce3ff31fd37c0902d8c61bd2c44d2fb8ddbf464084eeab038c6
                                  • Instruction ID: aa1681dc3d5ee9cc1e9217f29c992efceda2f8baf5f7666e08fcba3c4cb70289
                                  • Opcode Fuzzy Hash: 78e7b0f9e8f22ce3ff31fd37c0902d8c61bd2c44d2fb8ddbf464084eeab038c6
                                  • Instruction Fuzzy Hash: 56F0FE30A1011ADFDB14EF94E859BAEBBB2FF84B04F20451AE402A7390CBB41C46CF80
                                  Function 06485DF0 Relevance: .2, Instructions: 229COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c82dabe596225f64cb3e11afa65897c31fd872b1952352fda00b6d86b83ecfa5
                                  • Instruction ID: 4ebe63374073e4f259608b6b8bd6492cfd575feaa7f007f1dbc98ac71931386b
                                  • Opcode Fuzzy Hash: c82dabe596225f64cb3e11afa65897c31fd872b1952352fda00b6d86b83ecfa5
                                  • Instruction Fuzzy Hash: AB619071F001114FCB95AB6ADC4066FBADBEF84620B56443AE80ADB368DE79DD0287C5
                                  Function 06483EC1 Relevance: .2, Instructions: 221COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 785b07ccd7c970a8090a33cb04a4126cc7aaaa17a7202ef483ff7776a1574e7e
                                  • Instruction ID: 38e201e2c26145016d647eb5dcd9dd82fafe73cd4ddb8304b88327537cb27cf1
                                  • Opcode Fuzzy Hash: 785b07ccd7c970a8090a33cb04a4126cc7aaaa17a7202ef483ff7776a1574e7e
                                  • Instruction Fuzzy Hash: 19812F30B1020A9FDF55EFA8C9546AEB7F6AF95700F108529E40ADB359EB35DC42CB81
                                  Function 06483ED0 Relevance: .2, Instructions: 218COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e56d3406dbd6734f37d1945c523c7b44c8af5e8341ead6667c31f19bcf48e0cf
                                  • Instruction ID: 0cc0074cf3bfb8be1bd0c0db5720ef25031ad6c619240a2c02b9e676eb7ea04d
                                  • Opcode Fuzzy Hash: e56d3406dbd6734f37d1945c523c7b44c8af5e8341ead6667c31f19bcf48e0cf
                                  • Instruction Fuzzy Hash: CF812E30B1020A9FDF55EFA8C95466EBBF6AF95700F108529E40ADB359EB34DC42CB91
                                  Function 064841DC Relevance: .2, Instructions: 218COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59b1ac675ec83d9c1585a91773d64737d0ce0f0703675fc92d0ae5047908bceb
                                  • Instruction ID: e4864f9ebf036ffd42bd466480ac223525aa62e282ccae08b6e981ce6fcee629
                                  • Opcode Fuzzy Hash: 59b1ac675ec83d9c1585a91773d64737d0ce0f0703675fc92d0ae5047908bceb
                                  • Instruction Fuzzy Hash: DE913070E1021A8FDF51DF68C850B9EB7B1FF89310F208596D549AB355DB70A985CF50
                                  Function 0648EB08 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e65dd9796def07e413e9dd67275c4e04ce33ac43de7c320a73bcd90fb30243f6
                                  • Instruction ID: f6341ec5fd0c334bfbe008aa2d9dc48ee2d66a6b51a583fce014c4190367ee0d
                                  • Opcode Fuzzy Hash: e65dd9796def07e413e9dd67275c4e04ce33ac43de7c320a73bcd90fb30243f6
                                  • Instruction Fuzzy Hash: 89713B70A002099FCB55EFA9D980A9EBBF6FF84314F24842AE015EB355DB34ED46CB50
                                  Function 064841F0 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f423a5320da8e5c2d968b74e6dff29d9650347b09e2350395394dc20585ac565
                                  • Instruction ID: 8fe456c18678ca030953e55fe004abb75787fa2056f6b709c0ece007e0344e2f
                                  • Opcode Fuzzy Hash: f423a5320da8e5c2d968b74e6dff29d9650347b09e2350395394dc20585ac565
                                  • Instruction Fuzzy Hash: C3912E70E1021A8FDF60DF68C850B9EB7B1FF89310F208599D549AB355EB70AA85CF50
                                  Function 0648EB18 Relevance: .2, Instructions: 201COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 323d93295f1ea4be1c2d09995bd0d74e7df32afcc327e51312f61d0cb7f19270
                                  • Instruction ID: cc8404282660df7f70f1639354fc3a1461dd8d64f1ee04bee78e5775ec498ef2
                                  • Opcode Fuzzy Hash: 323d93295f1ea4be1c2d09995bd0d74e7df32afcc327e51312f61d0cb7f19270
                                  • Instruction Fuzzy Hash: BA711C70A002099FCB55EFA9D990A9EBBF6FF84314F24842AE405EB355DB34ED46CB50
                                  Function 0648F62A Relevance: .2, Instructions: 174COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a63041dd2ef200310ae2baca1dc8052626b39180e8a8a872a81a61353edd405f
                                  • Instruction ID: e45d094169d1d3d5921a01de7c0dad049d9d3644cbcc135ca84237448f145d5e
                                  • Opcode Fuzzy Hash: a63041dd2ef200310ae2baca1dc8052626b39180e8a8a872a81a61353edd405f
                                  • Instruction Fuzzy Hash: 5851E670B202145FEFE5766DD94477F265EDB89350F20482AE50AD73EACA2DCC4AC3A1
                                  Function 0648FC90 Relevance: .2, Instructions: 171COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 00f6074d9492da250d9741022389c37c28a2d702da5750ac84bbd6efe9bf4925
                                  • Instruction ID: 7a98f05022891a7afbf5f3b8c3c6928774049dedc365848e528214a4940bb192
                                  • Opcode Fuzzy Hash: 00f6074d9492da250d9741022389c37c28a2d702da5750ac84bbd6efe9bf4925
                                  • Instruction Fuzzy Hash: 4051EF31E101099FCFA5BB78E8446AEBBB2FF84355F20882AE506D7351DB359959CB80
                                  Function 0648F638 Relevance: .2, Instructions: 163COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d09b0b0d3d5759db8815b34dffab8ce6daf8d2c47d33fcb301dd1c81a0b2300c
                                  • Instruction ID: cc29dab97dc3d64c51b36b410633d948067cb78c98bae917b6034a92ee9af435
                                  • Opcode Fuzzy Hash: d09b0b0d3d5759db8815b34dffab8ce6daf8d2c47d33fcb301dd1c81a0b2300c
                                  • Instruction Fuzzy Hash: CB51E770B202149FEFE5766DD94472F365EDB89350F20482AE50AD33E9CA2DCC49C391
                                  Function 06485040 Relevance: .1, Instructions: 126COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c569645c58eb2fe5c7a5a921daa01e29bedac1881f20626301d049ad3b5cbd40
                                  • Instruction ID: 9fc7b95ab02da26b270ccff99cf627202e62cdbb356bd3376d629fce966a5740
                                  • Opcode Fuzzy Hash: c569645c58eb2fe5c7a5a921daa01e29bedac1881f20626301d049ad3b5cbd40
                                  • Instruction Fuzzy Hash: A4414D71E006099FDFA5DEA9D880AAFFBF2FB85310F10492AD216D7640D731A945CB91
                                  Function 0648FC80 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d91bc5bc786ba5896a1d1cec5b4dc0e527e8f0c237ff94cc81982db85b58ebcc
                                  • Instruction ID: 68132239f1c0d3a96786d14b2e683a5bd72b1325ff149e42efbc1bbfd264f987
                                  • Opcode Fuzzy Hash: d91bc5bc786ba5896a1d1cec5b4dc0e527e8f0c237ff94cc81982db85b58ebcc
                                  • Instruction Fuzzy Hash: 6631F232F111099FCF45BBB8E9442AEB7B6FB84352F10887AE106D3255DF36985AC790
                                  Function 0648D970 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cd45566848a3ad92a831394e678ed748f048b192004dda8e764038c69dee79bd
                                  • Instruction ID: 2fdd0b61d3dd42354cb2e6a809dac98f81617998f04793b0e099378c7f9cc1b5
                                  • Opcode Fuzzy Hash: cd45566848a3ad92a831394e678ed748f048b192004dda8e764038c69dee79bd
                                  • Instruction Fuzzy Hash: 1631C730E1121A9FCF15EF65D940A9FB7B6FF85304F208529E405A7354EB74E946CB80
                                  Function 0648208B Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c69d35667f6c8b4bfd72546d0e69fb6968399fb2bc346549fafe5abf762eb69f
                                  • Instruction ID: d999c78cb5c458c6d894d101d9936aee70bbef8aa546616a755dae08ead1d2d7
                                  • Opcode Fuzzy Hash: c69d35667f6c8b4bfd72546d0e69fb6968399fb2bc346549fafe5abf762eb69f
                                  • Instruction Fuzzy Hash: 65318330E102159FCB19DF74D9546AFBBB2AF8A700F20C91AE906E7354DB75A942CB80
                                  Function 06482098 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7a5c2af25552a5fa2f0db3c44ec07789a32a9da7b4f4d2a9fef9e92dadc68c97
                                  • Instruction ID: 9ecd741a43150860161aa05cd1ee667f4af32fea0ba05e9a92100aa41e9677d1
                                  • Opcode Fuzzy Hash: 7a5c2af25552a5fa2f0db3c44ec07789a32a9da7b4f4d2a9fef9e92dadc68c97
                                  • Instruction Fuzzy Hash: 2D315030E102059FCB19DF64D9946AFBBB2AF89700F20C92AE905E7354DB75AD46CB90
                                  Function 06483AC8 Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35a5d0b6c4f970c6cd971c7e3e1f2ceb46f32e2808b99c45aad55d3cf26ad74f
                                  • Instruction ID: 33a77e29f51946888fd5d68562be923608149cb35f0db5c058f14791e7ddb475
                                  • Opcode Fuzzy Hash: 35a5d0b6c4f970c6cd971c7e3e1f2ceb46f32e2808b99c45aad55d3cf26ad74f
                                  • Instruction Fuzzy Hash: 58219C75E106159FDF52EFA9D881AAEBBF5EB48B10F00802AE905E7355E734D901CB90
                                  Function 06485031 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5c18ece5c0638248fe6e411ec088b16bfc6b6b5969fe7902f6741d6cea9100c2
                                  • Instruction ID: 56eb285ef0ce66913227be998798cfe804cfefbd22024647deadea273113b89a
                                  • Opcode Fuzzy Hash: 5c18ece5c0638248fe6e411ec088b16bfc6b6b5969fe7902f6741d6cea9100c2
                                  • Instruction Fuzzy Hash: C3218D71E0060A8FCBA5DEA9CCC1AAFFBF2FB45310F64492AD256D3244D771A945CB80
                                  Function 06483AD8 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c600f6a5f66a9250e623fc1e0980d3908912ea3a11fc52eb22e3dd23d74b89ff
                                  • Instruction ID: 2c2600d287bdcda53a3976bcf395d1c4190baf97bea42b0b6805c9b4cea7d86c
                                  • Opcode Fuzzy Hash: c600f6a5f66a9250e623fc1e0980d3908912ea3a11fc52eb22e3dd23d74b89ff
                                  • Instruction Fuzzy Hash: 3F219A75E006199FDF52EFA9D980AAEBBF1EB48A10F10806AE905E7355E734D940CB90
                                  Function 00C9D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3292125606.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_c9d000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa583432b5d6ae80da8624e5b1e2c03cfff079f0849f9b79df793f95a4ae34fa
                                  • Instruction ID: 0984c8994fbe04250b3bd5c974b99e2156505021cb9c6880468e5a34e9e76afa
                                  • Opcode Fuzzy Hash: fa583432b5d6ae80da8624e5b1e2c03cfff079f0849f9b79df793f95a4ae34fa
                                  • Instruction Fuzzy Hash: CA21F271604304DFDF14DF24D9C8B26BF65FB88314F20C569E94A5B296C33AD807CA62
                                  Function 00C9D005 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3292125606.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_c9d000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1ac37fd7ac31f8d9e6393bc0e9bf35dd76d0614adc882c457eacd0abb49ef68b
                                  • Instruction ID: b606ca886fb1a9ba05fe618b913b2fdf18eaea1de4ceaeff5162834f102f7854
                                  • Opcode Fuzzy Hash: 1ac37fd7ac31f8d9e6393bc0e9bf35dd76d0614adc882c457eacd0abb49ef68b
                                  • Instruction Fuzzy Hash: AC216F755093C08FDB12CF24D994715BF71EB46314F28C5EAD84A8F6A7C33A990ACB62
                                  Function 064851AF Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 587fd48d88f843dd66aa78a10b4f5cbe1a72316e4c6b5aca92d4a0eb49151f99
                                  • Instruction ID: 2207ec59d7cd8fb97f1a5d798ebde91e6227cf1ced0e08c61489afb42ef00330
                                  • Opcode Fuzzy Hash: 587fd48d88f843dd66aa78a10b4f5cbe1a72316e4c6b5aca92d4a0eb49151f99
                                  • Instruction Fuzzy Hash: 95119471D043045FDB96AFA9C8C0AAFFBA1FB46310F95887BD018D7646D678E941CB90
                                  Function 06483BE8 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4b388dfb8b0e436bdf45adbac3cbb0b03888e7ee2220ddb83583242dc3fd13b
                                  • Instruction ID: e090035ea50c0e9866d6e1c69e945f3b604d6cefb8418024ad3cb2421b7eeb83
                                  • Opcode Fuzzy Hash: b4b388dfb8b0e436bdf45adbac3cbb0b03888e7ee2220ddb83583242dc3fd13b
                                  • Instruction Fuzzy Hash: FC118232B104255FDFA6AA78C9146AF77AAEBC8610F01853AD406E7358DE759C028BD1
                                  Function 0648ED88 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 913912e1566ea556c859abccd5f155531eadba1505d16211c97677ca8c321205
                                  • Instruction ID: 51b5139ac55332727d5ae23eaf6b24c73034ec22ab14e49ae35dc7dd3ddcac2b
                                  • Opcode Fuzzy Hash: 913912e1566ea556c859abccd5f155531eadba1505d16211c97677ca8c321205
                                  • Instruction Fuzzy Hash: 09019231B101115FCB66E67CD854B2FB7EADBC9614F15887AE009C7346DA15EC07C781
                                  Function 06483E1F Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3349ca5c989fdbfe2e98a908c66fb76d505c30e8d64e582c3e36abf5e9fadce3
                                  • Instruction ID: bd7fad80a81fff28c1a179092a4f0551f452dcf35dfb973802d138fabf6e132c
                                  • Opcode Fuzzy Hash: 3349ca5c989fdbfe2e98a908c66fb76d505c30e8d64e582c3e36abf5e9fadce3
                                  • Instruction Fuzzy Hash: 1F01D472B100510FDB67AAAC995576FA7DACBC5A14F24C83EE00ED7356ED29DC078381
                                  Function 064838A0 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 840666695fffab29256278a24f6430ed188e2771517c10d7055c9e43abcbef1a
                                  • Instruction ID: fcc29401d4ac0ebc467d501946f6f540b8368d808c798dc56814c573247c60cc
                                  • Opcode Fuzzy Hash: 840666695fffab29256278a24f6430ed188e2771517c10d7055c9e43abcbef1a
                                  • Instruction Fuzzy Hash: E721C2B5D01259AFCB00DF9AD984ADEFFB8FB48710F10852AE518A7340C379A544CBA5
                                  Function 064838A8 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4065168af16c8fd85bd2a11c486a90eef7c4ad35f1a45f98ad5b8214988b6f1
                                  • Instruction ID: 406c62105ccd2843f06b22f62f881d813bc9237c0a0da63128e770a9bcd616ea
                                  • Opcode Fuzzy Hash: e4065168af16c8fd85bd2a11c486a90eef7c4ad35f1a45f98ad5b8214988b6f1
                                  • Instruction Fuzzy Hash: 2C11D3B5D01259AFCB00DF9AD884ADEFBB8FB48310F10812AE518A7300C374A544CFA5
                                  Function 06483E30 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5385540dded7766059a567d256436f43a079330991b5ce9aa37367a15316003e
                                  • Instruction ID: c8f3df8c5b63bd6bcc79de045ed906a3d7b374169963edc29db2641de2e4a564
                                  • Opcode Fuzzy Hash: 5385540dded7766059a567d256436f43a079330991b5ce9aa37367a15316003e
                                  • Instruction Fuzzy Hash: FE018131B100111FDB6AA9AD9454B2FA2DFCBC9B24F20843EE50EC7355DE65DC068795
                                  Function 0648A308 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6849d603e8efde21e3e5672d7a19fe66ed4a3d1b3a90bccba899a0aeb682322a
                                  • Instruction ID: 9022803aa77dc9e30f54cd88f16096b82a617c8d57f323a44e465a42d87277f7
                                  • Opcode Fuzzy Hash: 6849d603e8efde21e3e5672d7a19fe66ed4a3d1b3a90bccba899a0aeb682322a
                                  • Instruction Fuzzy Hash: 0001F231F005100FDB72EA38E85476F63E6EB86714F10C83AE10AC7799EA69EC42C781
                                  Function 06483BD8 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ae0c3a6eef18a0be09d7248adbba15eae8654f3ae1d96fa836d74f8845c76e8
                                  • Instruction ID: ff83ba50ea1d8d2ce58f4b2bacf0e4de3cbb8d7506f5ba7bda0b4c22f151a701
                                  • Opcode Fuzzy Hash: 4ae0c3a6eef18a0be09d7248adbba15eae8654f3ae1d96fa836d74f8845c76e8
                                  • Instruction Fuzzy Hash: B501A732B104255FDFA6AAB8C9153EF77AAEBC4610F01453BD509E7345EE68DC0287D1
                                  Function 06486440 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 362ab79e5b4deade9c6f61d01f75f800146b0f7cf9465e5b98d72716920f4a59
                                  • Instruction ID: a66fd9355d4024fd654e9011c09be730a21af5efbf708bafc7d8198fd831b323
                                  • Opcode Fuzzy Hash: 362ab79e5b4deade9c6f61d01f75f800146b0f7cf9465e5b98d72716920f4a59
                                  • Instruction Fuzzy Hash: D7014F619592D51FD7429B78DD617CA3F78DF43214F1644E7C044CB293D06DC945C3A6
                                  Function 0648ED98 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d560c53d07c60b81b78da06322ee67ded786e5a486785c86fe3b4f5313d16e3f
                                  • Instruction ID: 9791a9116111b22cf13867b9d5e6c5549f15e0b81b6296977794715760f30e70
                                  • Opcode Fuzzy Hash: d560c53d07c60b81b78da06322ee67ded786e5a486785c86fe3b4f5313d16e3f
                                  • Instruction Fuzzy Hash: E3018C31B100155FCB66A66D9854B7F67DADBC9A20F20883AE10AC7344EE29EC068381
                                  Function 0648A318 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2255880bbb44cddd1a4b2949d86bbdd6fe68ba85a5bd1a24dcb58b4468e79d37
                                  • Instruction ID: fe97a0ef012752dc156565e8d95b01b07b1c7e60039c3b385b471357b99cb82d
                                  • Opcode Fuzzy Hash: 2255880bbb44cddd1a4b2949d86bbdd6fe68ba85a5bd1a24dcb58b4468e79d37
                                  • Instruction Fuzzy Hash: BB018131B001144FCB62EA6DE85472F73EAEB89A14F10C83AE00AC7758DA65DC428781
                                  Function 06486488 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d138504dca74f90a75ddfacdebe15f7230bae778fd5490481d6a20d0052fadb2
                                  • Instruction ID: e943b158a37e92e51f04344f234e8e684bc31c09294c631fe25d0957db688159
                                  • Opcode Fuzzy Hash: d138504dca74f90a75ddfacdebe15f7230bae778fd5490481d6a20d0052fadb2
                                  • Instruction Fuzzy Hash: 1BE08C70E20108AFDF91EEB08A0575F77ADDB82214F2188A6D408C7202E176DA41C784

                                  Non-executed Functions

                                  Function 064876A8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                  • API String ID: 0-3810553869
                                  • Opcode ID: 5e2ec3ce09924481c7efecd0f3ef4d68f6f1a0cbb41d34c3ca05a970fe62165b
                                  • Instruction ID: dc7d5194ee014644fb58938728a21ba4b7618981ddbe153123ce47bccc32b398
                                  • Opcode Fuzzy Hash: 5e2ec3ce09924481c7efecd0f3ef4d68f6f1a0cbb41d34c3ca05a970fe62165b
                                  • Instruction Fuzzy Hash: F6123F30E00219CFDB65EF65C954AAEB7B2FF89300F2085AAD405AB365DB359D85CF90
                                  Function 0648A938 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq$$jq$$jq
                                  • API String ID: 0-666546452
                                  • Opcode ID: 718a5fc86363667ad597ba135931be464f07f299a2203bd4a9eb580f445c24c2
                                  • Instruction ID: 6d8dc2727ab09f9296320d52389dbe719301a9a46fc79e9191fa8c9da9e20828
                                  • Opcode Fuzzy Hash: 718a5fc86363667ad597ba135931be464f07f299a2203bd4a9eb580f445c24c2
                                  • Instruction Fuzzy Hash: 02917030A00209DFEB65EF65D655BAF7BB6EF44300F24852BE401A7395DBB49C85CB90
                                  Function 064870A8 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq
                                  • API String ID: 0-3356825164
                                  • Opcode ID: 3282c65cffd3322f4c7168566727f8157e76ee3d3d909ca7598bcdd30b15dff0
                                  • Instruction ID: c1773ba9cfbd7ee6de6316bbb730c991fc298ea1a0ef24226305d82a57100d07
                                  • Opcode Fuzzy Hash: 3282c65cffd3322f4c7168566727f8157e76ee3d3d909ca7598bcdd30b15dff0
                                  • Instruction Fuzzy Hash: FDF14F30A00208CFDB55EFA5D554A6EBBB6FF84310F24C569D405AB3A9DB75DC82CB90
                                  Function 0648BA08 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq$$jq$$jq$$jq$$jq
                                  • API String ID: 0-3356825164
                                  • Opcode ID: f97f20ab0bdbdd299b50a62ffa7d6fc28e80e3131ac16265b19164b15e87b9ca
                                  • Instruction ID: 7126ed36b7f46295b87c4a8280ccf62bff52d32ee0fff98464683b857dd4bc73
                                  • Opcode Fuzzy Hash: f97f20ab0bdbdd299b50a62ffa7d6fc28e80e3131ac16265b19164b15e87b9ca
                                  • Instruction Fuzzy Hash: E4719F30E102098FDB69EFA8D5806AEB7B6FF85304F10842ED406AB759DB74DD46CB81
                                  Function 064883E0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq$$jq$$jq
                                  • API String ID: 0-2428501249
                                  • Opcode ID: d51aa67725ec7dc91d6c0727ce4e39b92c3d970bfb5a8292be58d2fa9388749d
                                  • Instruction ID: 012122e26a2a497217fad9a278627ec0e51f7965abcf6b4f13e9c74501ccaa44
                                  • Opcode Fuzzy Hash: d51aa67725ec7dc91d6c0727ce4e39b92c3d970bfb5a8292be58d2fa9388749d
                                  • Instruction Fuzzy Hash: D4B15B30F102188FDB65EF65C99469EB7B6FF84304F64882AD405AB395DB74DC82CB80
                                  Function 064887F8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LRjq$LRjq$$jq$$jq
                                  • API String ID: 0-2974078839
                                  • Opcode ID: 0824aede5e023829b70ab95cd26fd0d314d1bd6a8c0edc673287f120c1394f69
                                  • Instruction ID: 0e217e1517fb63ede2cc0cd1ea46567a0c67747fc5c29ea16e13d8b64c7c76a1
                                  • Opcode Fuzzy Hash: 0824aede5e023829b70ab95cd26fd0d314d1bd6a8c0edc673287f120c1394f69
                                  • Instruction Fuzzy Hash: 0451AF30B002059FDB59FF68D950A6E77A6FF88304F54856EE4159B3AADB34EC41CB80
                                  Function 0648ACC2 Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.3297674064.0000000006480000.00000040.00000800.00020000.00000000.sdmp, Offset: 06480000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_6480000_lFlw40OH6u.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: $jq$$jq$$jq$$jq
                                  • API String ID: 0-2428501249
                                  • Opcode ID: 75eabce6d18c58be0695be6751f51b7b2cd8367a51a9c778d0087cb96f4a68b7
                                  • Instruction ID: 4f31473276243520c6230067805913173c9b689024fc893e7caddbc41283ee5c
                                  • Opcode Fuzzy Hash: 75eabce6d18c58be0695be6751f51b7b2cd8367a51a9c778d0087cb96f4a68b7
                                  • Instruction Fuzzy Hash: 45519230E102048FDFA6EA64D5806AEB7F6EF85311F24892BD805D7355DB75EC82CB91