Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kzy8qg5lbR.exe

Overview

General Information

Sample name:kzy8qg5lbR.exe
renamed because original name is a hash value
Original sample name:8cd8abcb282f372de8c9de1c810b3b201b74974de71166809a7db64f8e344a9b.exe
Analysis ID:1587599
MD5:9c3df8227bb53d5b57e8bc749442965a
SHA1:d33afdad1eadbef7fec5c8df379e4aefabc07391
SHA256:8cd8abcb282f372de8c9de1c810b3b201b74974de71166809a7db64f8e344a9b
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • kzy8qg5lbR.exe (PID: 1976 cmdline: "C:\Users\user\Desktop\kzy8qg5lbR.exe" MD5: 9C3DF8227BB53D5B57E8BC749442965A)
    • powershell.exe (PID: 5972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7496 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 5900 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DeQadQO.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5952 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • kzy8qg5lbR.exe (PID: 7248 cmdline: "C:\Users\user\Desktop\kzy8qg5lbR.exe" MD5: 9C3DF8227BB53D5B57E8BC749442965A)
  • DeQadQO.exe (PID: 7320 cmdline: C:\Users\user\AppData\Roaming\DeQadQO.exe MD5: 9C3DF8227BB53D5B57E8BC749442965A)
    • schtasks.exe (PID: 7612 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpEA3C.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • DeQadQO.exe (PID: 7664 cmdline: "C:\Users\user\AppData\Roaming\DeQadQO.exe" MD5: 9C3DF8227BB53D5B57E8BC749442965A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2768568384.0000000002F8E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000009.00000002.2768942453.0000000002ECE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.2765766310.0000000000435000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000009.00000002.2765766310.0000000000435000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000E.00000002.2768568384.0000000002F41000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.kzy8qg5lbR.exe.3f24390.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.kzy8qg5lbR.exe.3f24390.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.kzy8qg5lbR.exe.3f24390.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.kzy8qg5lbR.exe.3ee9970.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.kzy8qg5lbR.exe.3ee9970.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 9 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\kzy8qg5lbR.exe", ParentImage: C:\Users\user\Desktop\kzy8qg5lbR.exe, ParentProcessId: 1976, ParentProcessName: kzy8qg5lbR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe", ProcessId: 5972, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\kzy8qg5lbR.exe", ParentImage: C:\Users\user\Desktop\kzy8qg5lbR.exe, ParentProcessId: 1976, ParentProcessName: kzy8qg5lbR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe", ProcessId: 5972, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpEA3C.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpEA3C.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\DeQadQO.exe, ParentImage: C:\Users\user\AppData\Roaming\DeQadQO.exe, ParentProcessId: 7320, ParentProcessName: DeQadQO.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpEA3C.tmp", ProcessId: 7612, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\kzy8qg5lbR.exe, Initiated: true, ProcessId: 7248, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49709
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\kzy8qg5lbR.exe", ParentImage: C:\Users\user\Desktop\kzy8qg5lbR.exe, ParentProcessId: 1976, ParentProcessName: kzy8qg5lbR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp", ProcessId: 5952, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\kzy8qg5lbR.exe", ParentImage: C:\Users\user\Desktop\kzy8qg5lbR.exe, ParentProcessId: 1976, ParentProcessName: kzy8qg5lbR.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe", ProcessId: 5972, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\kzy8qg5lbR.exe", ParentImage: C:\Users\user\Desktop\kzy8qg5lbR.exe, ParentProcessId: 1976, ParentProcessName: kzy8qg5lbR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp", ProcessId: 5952, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: kzy8qg5lbR.exeAvira: detected
                    Antivirus detection for URL or domain
                    Source: http://mail.iaa-airferight.comAvira URL Cloud: Label: malware
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeAvira: detection malicious, Label: TR/AD.GenSteal.oilgp
                    Found malware configuration
                    Source: 0.2.kzy8qg5lbR.exe.3f24390.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeReversingLabs: Detection: 87%
                    Multi AV Scanner detection for submitted file
                    Source: kzy8qg5lbR.exeVirustotal: Detection: 80%Perma Link
                    Source: kzy8qg5lbR.exeReversingLabs: Detection: 87%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: kzy8qg5lbR.exeJoe Sandbox ML: detected
                    Source: kzy8qg5lbR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: kzy8qg5lbR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3f24390.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3ee9970.2.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: global trafficTCP traffic: 192.168.2.8:49709 -> 46.175.148.58:25
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: kzy8qg5lbR.exe, 00000009.00000002.2768942453.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, DeQadQO.exe, 0000000E.00000002.2768568384.0000000002F96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://s2.symcb.com0
                    Source: kzy8qg5lbR.exe, 00000000.00000002.1535336276.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, DeQadQO.exe, 0000000A.00000002.1581908816.0000000002FBE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://www.symauth.com/cps0(
                    Source: kzy8qg5lbR.exe, DeQadQO.exe.0.drString found in binary or memory: http://www.symauth.com/rpa00
                    Source: kzy8qg5lbR.exe, 00000000.00000002.1536440135.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, kzy8qg5lbR.exe, 00000009.00000002.2765766310.0000000000435000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.kzy8qg5lbR.exe.3f24390.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.kzy8qg5lbR.exe.3ee9970.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.kzy8qg5lbR.exe.3f24390.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.kzy8qg5lbR.exe.3ee9970.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_0151D3040_2_0151D304
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_07270E680_2_07270E68
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_072746280_2_07274628
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_072746180_2_07274618
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_0727C6780_2_0727C678
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_072761600_2_07276160
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_072761700_2_07276170
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_072741F00_2_072741F0
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_07270E590_2_07270E59
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_07273DB80_2_07273DB8
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_072739800_2_07273980
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_013B41C89_2_013B41C8
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_013B93649_2_013B9364
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_013B96E09_2_013B96E0
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_013B9B389_2_013B9B38
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_013B4A989_2_013B4A98
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_013BCDB09_2_013BCDB0
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_013B3E809_2_013B3E80
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_063A56D89_2_063A56D8
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_063A2F009_2_063A2F00
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_063A3F489_2_063A3F48
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_063ABD009_2_063ABD00
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_063ADD009_2_063ADD00
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_063A9AE09_2_063A9AE0
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_063A8B889_2_063A8B88
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_063A00409_2_063A0040
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_063A363B9_2_063A363B
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_063A4FF89_2_063A4FF8
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_0156D30410_2_0156D304
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_070F610810_2_070F6108
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_070F2E9010_2_070F2E90
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_070F35F810_2_070F35F8
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_070FAE9710_2_070FAE97
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_070FAEA810_2_070FAEA8
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071F0E6810_2_071F0E68
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071F461810_2_071F4618
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071F462810_2_071F4628
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071F0E5910_2_071F0E59
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071F3DB810_2_071F3DB8
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071F617010_2_071F6170
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071FB96010_2_071FB960
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071F616010_2_071F6160
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071F398010_2_071F3980
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071F41F010_2_071F41F0
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_02DA937814_2_02DA9378
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_02DA4A9814_2_02DA4A98
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_02DA9B3814_2_02DA9B38
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_02DA3E8014_2_02DA3E80
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_02DACDB014_2_02DACDB0
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_02DA41C814_2_02DA41C8
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_064C56D814_2_064C56D8
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_064C3F4814_2_064C3F48
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_064C2F0014_2_064C2F00
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_064CBD0014_2_064CBD00
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_064CDD0014_2_064CDD00
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_064C9AE014_2_064C9AE0
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_064C8B9814_2_064C8B98
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_064C004014_2_064C0040
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_064C365014_2_064C3650
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_064C4FF814_2_064C4FF8
                    Source: kzy8qg5lbR.exeStatic PE information: invalid certificate
                    Source: kzy8qg5lbR.exe, 00000000.00000002.1536440135.0000000003EE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs kzy8qg5lbR.exe
                    Source: kzy8qg5lbR.exe, 00000000.00000002.1536440135.0000000003EE9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs kzy8qg5lbR.exe
                    Source: kzy8qg5lbR.exe, 00000000.00000002.1535336276.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs kzy8qg5lbR.exe
                    Source: kzy8qg5lbR.exe, 00000000.00000002.1554263865.00000000075A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs kzy8qg5lbR.exe
                    Source: kzy8qg5lbR.exe, 00000000.00000002.1555129254.0000000007C07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs kzy8qg5lbR.exe
                    Source: kzy8qg5lbR.exe, 00000000.00000002.1533286322.000000000120E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs kzy8qg5lbR.exe
                    Source: kzy8qg5lbR.exe, 00000000.00000000.1502490443.0000000000AF2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerBRD.exe@ vs kzy8qg5lbR.exe
                    Source: kzy8qg5lbR.exe, 00000009.00000002.2765766310.0000000000435000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs kzy8qg5lbR.exe
                    Source: kzy8qg5lbR.exe, 00000009.00000002.2766239592.00000000010F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs kzy8qg5lbR.exe
                    Source: kzy8qg5lbR.exeBinary or memory string: OriginalFilenamerBRD.exe@ vs kzy8qg5lbR.exe
                    Source: kzy8qg5lbR.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.kzy8qg5lbR.exe.3f24390.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.kzy8qg5lbR.exe.3ee9970.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.kzy8qg5lbR.exe.3f24390.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.kzy8qg5lbR.exe.3ee9970.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: kzy8qg5lbR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: DeQadQO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@1/1
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeFile created: C:\Users\user\AppData\Roaming\DeQadQO.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7620:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6080:120:WilError_03
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD8B8.tmpJump to behavior
                    Source: kzy8qg5lbR.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: kzy8qg5lbR.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: kzy8qg5lbR.exeVirustotal: Detection: 80%
                    Source: kzy8qg5lbR.exeReversingLabs: Detection: 87%
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeFile read: C:\Users\user\Desktop\kzy8qg5lbR.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\kzy8qg5lbR.exe "C:\Users\user\Desktop\kzy8qg5lbR.exe"
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DeQadQO.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Users\user\Desktop\kzy8qg5lbR.exe "C:\Users\user\Desktop\kzy8qg5lbR.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\DeQadQO.exe C:\Users\user\AppData\Roaming\DeQadQO.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpEA3C.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess created: C:\Users\user\AppData\Roaming\DeQadQO.exe "C:\Users\user\AppData\Roaming\DeQadQO.exe"
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DeQadQO.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Users\user\Desktop\kzy8qg5lbR.exe "C:\Users\user\Desktop\kzy8qg5lbR.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpEA3C.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess created: C:\Users\user\AppData\Roaming\DeQadQO.exe "C:\Users\user\AppData\Roaming\DeQadQO.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: kzy8qg5lbR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: kzy8qg5lbR.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 0_2_072751B2 pushad ; ret 0_2_072751D1
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeCode function: 9_2_013B0BCD pushfd ; iretd 9_2_013B0BD2
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_0156F498 pushad ; iretd 10_2_0156F499
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_070FC287 pushad ; ret 10_2_070FC28A
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_070FB3E0 pushfd ; iretd 10_2_070FB3E9
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 10_2_071F51B3 pushad ; ret 10_2_071F51D1
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeCode function: 14_2_02DA0BCD pushfd ; iretd 14_2_02DA0BD2
                    Source: kzy8qg5lbR.exeStatic PE information: section name: .text entropy: 7.904066013657937
                    Source: DeQadQO.exe.0.drStatic PE information: section name: .text entropy: 7.904066013657937
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeFile created: C:\Users\user\AppData\Roaming\DeQadQO.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Icon mismatch, binary includes an icon from a different legit application in order to fool users
                    Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (129).png
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: kzy8qg5lbR.exe PID: 1976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DeQadQO.exe PID: 7320, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: 1510000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: 4EE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: 8F40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: 9F40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: A140000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: B140000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: 13B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: 2E80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: 4E80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory allocated: 14C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory allocated: 2F60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory allocated: 14C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory allocated: 89D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory allocated: 99D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory allocated: 9BB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory allocated: ABB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory allocated: 2DA0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory allocated: 2F40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory allocated: 4F40000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6238Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7076Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeWindow / User API: threadDelayed 5573Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeWindow / User API: threadDelayed 4242Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeWindow / User API: threadDelayed 2511
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeWindow / User API: threadDelayed 7335
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 4152Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7336Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7284Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7412Thread sleep count: 5573 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -99860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -99741s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -99625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -99513s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -99372s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -99247s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -99139s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -99027s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -98907s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7412Thread sleep count: 4242 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -98782s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -98657s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -98532s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -98407s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -98282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -98163s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -98047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -97938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -97825s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -97716s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -97577s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -97469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -97360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -97235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -97110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -96985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -96860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -96735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -96610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -96485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -96360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -96228s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -96110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -95985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -95855s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -95735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -95532s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -95410s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -95282s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -95171s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -95063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -94938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -94813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -94688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -94563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -94453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -94344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -94219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -94109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -94000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -93891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -93781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exe TID: 7396Thread sleep time: -93672s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7408Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep count: 39 > 30
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -35971150943733603s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7748Thread sleep count: 2511 > 30
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -99891s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -99781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7748Thread sleep count: 7335 > 30
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -99672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -99563s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -99452s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -99344s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -99234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -99118s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -99011s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -98883s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -98570s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -98439s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -98313s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -98203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -98094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -97984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -97875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -97764s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -97641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -97531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -97422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -97313s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -97203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -97093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -96984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -96875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -96766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -96656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -96547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -96436s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -96328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -96217s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -96107s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -95809s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -95703s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -95594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -95469s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -95356s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -95250s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -95138s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -95031s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -94922s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -94812s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -94703s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -94594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -94484s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -94375s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -94265s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -94156s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -94047s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exe TID: 7740Thread sleep time: -93937s >= -30000s
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 99860Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 99741Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 99625Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 99513Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 99372Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 99247Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 99139Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 99027Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 98907Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 98782Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 98657Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 98532Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 98407Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 98282Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 98163Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 98047Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 97938Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 97825Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 97716Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 97577Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 97469Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 97235Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 96985Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 96610Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 96485Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 96360Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 96228Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 96110Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 95985Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 95855Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 95735Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 95532Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 95410Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 95282Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 95171Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 95063Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 94938Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 94813Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 94688Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 94563Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 94453Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 94344Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 94219Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 94109Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 94000Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 93891Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 93781Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeThread delayed: delay time: 93672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 99891
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 99781
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 99672
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 99563
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 99452
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 99344
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 99234
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 99118
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 99011
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 98883
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 98570
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 98439
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 98313
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 98203
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 98094
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 97984
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 97875
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 97764
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 97641
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 97531
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 97422
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 97313
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 97203
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 97093
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 96984
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 96875
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 96766
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 96656
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 96547
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 96436
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 96328
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 96217
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 96107
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 95809
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 95703
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 95594
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 95469
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 95356
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 95250
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 95138
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 95031
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 94922
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 94812
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 94703
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 94594
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 94484
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 94375
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 94265
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 94156
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 94047
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeThread delayed: delay time: 93937
                    Source: kzy8qg5lbR.exe, 00000009.00000002.2766296086.000000000120D000.00000004.00000020.00020000.00000000.sdmp, DeQadQO.exe, 0000000E.00000002.2766375420.00000000012D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe"
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DeQadQO.exe"
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DeQadQO.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeMemory written: C:\Users\user\Desktop\kzy8qg5lbR.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeMemory written: C:\Users\user\AppData\Roaming\DeQadQO.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DeQadQO.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeProcess created: C:\Users\user\Desktop\kzy8qg5lbR.exe "C:\Users\user\Desktop\kzy8qg5lbR.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpEA3C.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeProcess created: C:\Users\user\AppData\Roaming\DeQadQO.exe "C:\Users\user\AppData\Roaming\DeQadQO.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Users\user\Desktop\kzy8qg5lbR.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Users\user\Desktop\kzy8qg5lbR.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Users\user\AppData\Roaming\DeQadQO.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Users\user\AppData\Roaming\DeQadQO.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3f24390.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3ee9970.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3f24390.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3ee9970.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2768568384.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2768942453.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2765766310.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2768568384.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1536440135.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2768942453.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kzy8qg5lbR.exe PID: 1976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: kzy8qg5lbR.exe PID: 7248, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DeQadQO.exe PID: 7664, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\kzy8qg5lbR.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\DeQadQO.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3f24390.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3ee9970.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3f24390.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3ee9970.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2765766310.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2768568384.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1536440135.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2768942453.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kzy8qg5lbR.exe PID: 1976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: kzy8qg5lbR.exe PID: 7248, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DeQadQO.exe PID: 7664, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3f24390.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3ee9970.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3f24390.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.kzy8qg5lbR.exe.3ee9970.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.2768568384.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2768942453.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2765766310.0000000000435000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.2768568384.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1536440135.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2768942453.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: kzy8qg5lbR.exe PID: 1976, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: kzy8qg5lbR.exe PID: 7248, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: DeQadQO.exe PID: 7664, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		11
                    Masquerading                    		2
                    OS Credential Dumping                    		211
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    DLL Side-Loading                    		1
                    Scheduled Task/Job                    		11
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    DLL Side-Loading                    		141
                    Virtualization/Sandbox Evasion                    		Security Account Manager141
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares2
                    Data from Local System                    		11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    File and Directory Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Software Packing                    		Cached Domain Credentials24
                    System Information Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587599 Sample: kzy8qg5lbR.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 10 other signatures 2->56 8 kzy8qg5lbR.exe 7 2->8         started        12 DeQadQO.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\DeQadQO.exe, PE32 8->38 dropped 40 C:\Users\user\...\DeQadQO.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpD8B8.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...\kzy8qg5lbR.exe.log, ASCII 8->44 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 14 kzy8qg5lbR.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 24 DeQadQO.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->48 72 Loading BitLocker PowerShell Module 18->72 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->74 76 Tries to steal Mail credentials (via file / registry access) 24->76 78 Tries to harvest and steal ftp login credentials 24->78 80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    kzy8qg5lbR.exe80%VirustotalBrowse
                    kzy8qg5lbR.exe88%ReversingLabsWin32.Spyware.Negasteal
                    kzy8qg5lbR.exe100%AviraTR/AD.GenSteal.oilgp
                    kzy8qg5lbR.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\DeQadQO.exe100%AviraTR/AD.GenSteal.oilgp
                    C:\Users\user\AppData\Roaming\DeQadQO.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\DeQadQO.exe88%ReversingLabsWin32.Spyware.Negasteal

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mail.iaa-airferight.com100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/kzy8qg5lbR.exe, 00000000.00000002.1536440135.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, kzy8qg5lbR.exe, 00000009.00000002.2765766310.0000000000435000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namekzy8qg5lbR.exe, 00000000.00000002.1535336276.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, DeQadQO.exe, 0000000A.00000002.1581908816.0000000002FBE000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.symauth.com/cps0(kzy8qg5lbR.exe, DeQadQO.exe.0.drfalse
                            		high
                            http://www.symauth.com/rpa00kzy8qg5lbR.exe, DeQadQO.exe.0.drfalse
                              		high
                              http://mail.iaa-airferight.comkzy8qg5lbR.exe, 00000009.00000002.2768942453.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp, DeQadQO.exe, 0000000E.00000002.2768568384.0000000002F96000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              46.175.148.58
                              		mail.iaa-airferight.comUkraine
                              		56394ASLAGIDKOM-NETUAfalse

                              General Information

                              Joe Sandbox version:42.0.0 Malachite
                              Analysis ID:1587599
                              Start date and time:2025-01-10 15:24:14 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 6m 40s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:19
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:kzy8qg5lbR.exe
                              renamed because original name is a hash value
                              Original Sample Name:8cd8abcb282f372de8c9de1c810b3b201b74974de71166809a7db64f8e344a9b.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@19/15@1/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 235
                              • Number of non-executed functions: 9
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 184.28.90.27, 20.109.210.53, 13.107.253.45
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              09:25:19API Interceptor177x Sleep call for process: kzy8qg5lbR.exe modified
                              09:25:22API Interceptor38x Sleep call for process: powershell.exe modified
                              09:25:25API Interceptor173x Sleep call for process: DeQadQO.exe modified
                              15:25:22Task SchedulerRun new task: DeQadQO path: C:\Users\user\AppData\Roaming\DeQadQO.exe

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              46.175.148.58OP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                  Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                    proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                      Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                        PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                            lC7L7oBBMC.exeGet hashmaliciousAgentTeslaBrowse
                                              OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                RFQ ENQ186 OI REQUIRE RATE.exeGet hashmaliciousAgentTeslaBrowse

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  mail.iaa-airferight.comOP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 46.175.148.58
                                                  980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  lC7L7oBBMC.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                  • 46.175.148.58
                                                  RFQ ENQ186 OI REQUIRE RATE.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ASLAGIDKOM-NETUAOP53532 Harumi new order.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  INV01542 , INV01562-7500003124 JTR-0084.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Shipment Dec Orders valves 2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  • 46.175.148.58
                                                  980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  lC7L7oBBMC.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58
                                                  OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                  • 46.175.148.58
                                                  RFQ ENQ186 OI REQUIRE RATE.exeGet hashmaliciousAgentTeslaBrowse
                                                  • 46.175.148.58

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DeQadQO.exe.log

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\DeQadQO.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.34331486778365
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                  Malicious:false
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kzy8qg5lbR.exe.log

                                                  Download File
                                                  Process:C:\Users\user\Desktop\kzy8qg5lbR.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1216
                                                  Entropy (8bit):5.34331486778365
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                  MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                  SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                  SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                  SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                  Malicious:true
                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):2232
                                                  Entropy (8bit):5.380134126512796
                                                  Encrypted:false
                                                  SSDEEP:48:+WSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//8PUyus:+LHxvIIwLgZ2KRHWLOug8s
                                                  MD5:F37AEC77E01BBB962825154484185140
                                                  SHA1:4EB2AF977817681D7A1EB59060C0DD62A166C7D4
                                                  SHA-256:CB443439A2777B9803D5D93B8FD4DCA1F2544148EF27123006E92C8ADF05DD6F
                                                  SHA-512:371FBFCB6FAB236D5C88B2BB6E3322A1A265AF88BD4238319C56569F93163CA10CDE73D1E92DD550C9F7040769DE7DD28A9BACB48763749173CFC2372B40B72F
                                                  Malicious:false
                                                  Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0dtkcpd3.ng5.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0ij2knqz.hv0.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_natx4uak.srn.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgf4bzj2.xku.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tb50xwy3.kyy.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x0phvmhg.2r1.ps1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xj3i4fdi.5m0.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ywwo2mux.s2h.psm1

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  File Type:ASCII text, with no line terminators
                                                  Category:dropped
                                                  Size (bytes):60
                                                  Entropy (8bit):4.038920595031593
                                                  Encrypted:false
                                                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                  Malicious:false
                                                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                  C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\kzy8qg5lbR.exe
                                                  File Type:XML 1.0 document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):1580
                                                  Entropy (8bit):5.107503534031619
                                                  Encrypted:false
                                                  SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt8xvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT8v
                                                  MD5:F6ADC61430E97690F88F8E7AEFE4407B
                                                  SHA1:670B31341F7E549EF77FE7B187B90066922402D0
                                                  SHA-256:4F1B16E73CF16BC2E2526244E7F4549977806E9CDC090882BF64C1A84414A3CA
                                                  SHA-512:69454DDC11AEE7D9943E0C429D1E36E08A478C237EA6F6DB3C7818466A2889874AA1C7B7E934AEA97D0CA34167FAED477164F146A19BDA01E887317B7A566D97
                                                  Malicious:true
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                  C:\Users\user\AppData\Local\Temp\tmpEA3C.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Roaming\DeQadQO.exe
                                                  File Type:XML 1.0 document, ASCII text
                                                  Category:dropped
                                                  Size (bytes):1580
                                                  Entropy (8bit):5.107503534031619
                                                  Encrypted:false
                                                  SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt8xvn:cgeLAYrFdOFzOzN33ODOiDdKrsuT8v
                                                  MD5:F6ADC61430E97690F88F8E7AEFE4407B
                                                  SHA1:670B31341F7E549EF77FE7B187B90066922402D0
                                                  SHA-256:4F1B16E73CF16BC2E2526244E7F4549977806E9CDC090882BF64C1A84414A3CA
                                                  SHA-512:69454DDC11AEE7D9943E0C429D1E36E08A478C237EA6F6DB3C7818466A2889874AA1C7B7E934AEA97D0CA34167FAED477164F146A19BDA01E887317B7A566D97
                                                  Malicious:false
                                                  Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                  C:\Users\user\AppData\Roaming\DeQadQO.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\kzy8qg5lbR.exe
                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):942184
                                                  Entropy (8bit):7.432549101406065
                                                  Encrypted:false
                                                  SSDEEP:12288:MykR5mU+8qeqbEcWsCjF3eSNgAQkhZlZChdHzFdqpHY273XFQvXP7r9r/+pppppv:ZkRxuhWsaHNTQ0K2731QvX1q
                                                  MD5:9C3DF8227BB53D5B57E8BC749442965A
                                                  SHA1:D33AFDAD1EADBEF7FEC5C8DF379E4AEFABC07391
                                                  SHA-256:8CD8ABCB282F372DE8C9DE1C810B3B201B74974DE71166809A7DB64F8E344A9B
                                                  SHA-512:E70C6B0339FB643FE0D32299136DE7A2015F266523805E73C695893EF9E9F46BB2519589181E2CE239D9872C9F2A20C8E3AB81B4ECB5DE591E25F37EC7540D8B
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Avira, Detection: 100%
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 88%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~F.g..............0......P......".... ........@.. ....................................@.....................................O........M...........,..h4...`....................................................... ............... ..H............text...(.... ...................... ..`.rsrc....M.......N..................@..@.reloc.......`.......*..............@..B........................H.......................f................................................r...p}.....r...p}......}.....(%......(.....*..*....0...........(......s7....sA....sC.....{......s....s)...o&.....s....%..js....o.....%r!..po.....%.o.....oB.....s....%..js....o.....%r-..po.....oB.....s....%..js....o.....%..s'...(....o.....%rA..po.....oB....*..0...........rY..p..sd.....oe......+..*..0..]..........((...r...p().....(*.....,,.(+....r...p(,....rl..p(,....(+......(-......sp.....ok......+..*".(

                                                  C:\Users\user\AppData\Roaming\DeQadQO.exe:Zone.Identifier

                                                  Download File
                                                  Process:C:\Users\user\Desktop\kzy8qg5lbR.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):26
                                                  Entropy (8bit):3.95006375643621
                                                  Encrypted:false
                                                  SSDEEP:3:ggPYV:rPYV
                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                  Malicious:true
                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.432549101406065
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                  • Win32 Executable (generic) a (10002005/4) 49.97%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:kzy8qg5lbR.exe
                                                  File size:942'184 bytes
                                                  MD5:9c3df8227bb53d5b57e8bc749442965a
                                                  SHA1:d33afdad1eadbef7fec5c8df379e4aefabc07391
                                                  SHA256:8cd8abcb282f372de8c9de1c810b3b201b74974de71166809a7db64f8e344a9b
                                                  SHA512:e70c6b0339fb643fe0d32299136de7a2015f266523805e73c695893ef9e9f46bb2519589181e2ce239d9872c9f2a20c8e3ab81b4ecb5de591e25f37ec7540d8b
                                                  SSDEEP:12288:MykR5mU+8qeqbEcWsCjF3eSNgAQkhZlZChdHzFdqpHY273XFQvXP7r9r/+pppppv:ZkRxuhWsaHNTQ0K2731QvX1q
                                                  TLSH:C615CE81E5845AA0DD6D9B706936CC3543337EBDA834E81D29DD3D6B3BFB7825022227
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~F.g..............0......P......".... ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:c5a484988c94a04b

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x4af922
                                                  Entrypoint Section:.text
                                                  Digitally signed:true
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6704467E [Mon Oct 7 20:37:18 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Authenticode Signature

                                                  Signature Valid:false
                                                  Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                                  Signature Validation Error:The digital signature of the object did not verify
                                                  Error Number:-2146869232
                                                  Not Before, Not After
                                                  • 11/11/2021 01:00:00 14/11/2024 00:59:59
                                                  Subject Chain
                                                  • CN="NetEase Youdao Information Technology (Beijing) Co.,Ltd.", O="NetEase Youdao Information Technology (Beijing) Co.,Ltd.", S=Beijing, C=CN
                                                  Version:3
                                                  Thumbprint MD5:4F5FEC748CD450F88841E761105381F9
                                                  Thumbprint SHA-1:4969233BC110419F015F688CF21C19254B1B0BAA
                                                  Thumbprint SHA-256:1CC254B81F32E63E63AD35958D2E738ADAA491167E1EA91199DEF66274175909
                                                  Serial:01CC0C6632D0CA3E68F19D8028508E91

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xaf8d00x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x34dec.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xe2c000x3468
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xe60000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000xad9280xada0060aae9cb99dee0ae144ee223ccfaf57dFalse0.9286680503059755data7.904066013657937IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rsrc0xb00000x34dec0x34e00e02b27bcf0fd575e1affb649dec3099bFalse0.20937684692671396data4.429835259806629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0xe60000xc0x20042c849c5c948809377f30fdc1a160737False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xb04480x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.3225609756097561
                                                  RT_ICON0xb0ab00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.43951612903225806
                                                  RT_ICON0xb0d980x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.4016393442622951
                                                  RT_ICON0xb0f800x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.4831081081081081
                                                  RT_ICON0xb10a80x35e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9907192575406032
                                                  RT_ICON0xb46880xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.4584221748400853
                                                  RT_ICON0xb55300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.47382671480144406
                                                  RT_ICON0xb5dd80x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.45564516129032256
                                                  RT_ICON0xb64a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.3504335260115607
                                                  RT_ICON0xb6a080x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.07868508221933042
                                                  RT_ICON0xc72300x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.15114568005045195
                                                  RT_ICON0xd06d80x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.1543233082706767
                                                  RT_ICON0xd6ec00x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.175184842883549
                                                  RT_ICON0xdc3480x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15948275862068967
                                                  RT_ICON0xe05700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24107883817427386
                                                  RT_ICON0xe2b180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2678236397748593
                                                  RT_ICON0xe3bc00x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.37459016393442623
                                                  RT_ICON0xe45480x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.42819148936170215
                                                  RT_GROUP_ICON0xe49b00x102data0.5775193798449613
                                                  RT_GROUP_ICON0xe4ab40x14data1.05
                                                  RT_VERSION0xe4ac80x324data0.43034825870646765

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Network Behavior

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 10, 2025 15:25:24.655965090 CET4970925192.168.2.846.175.148.58
                                                  Jan 10, 2025 15:25:25.715534925 CET4970925192.168.2.846.175.148.58
                                                  Jan 10, 2025 15:25:27.661638975 CET4971225192.168.2.846.175.148.58
                                                  Jan 10, 2025 15:25:27.715482950 CET4970925192.168.2.846.175.148.58
                                                  Jan 10, 2025 15:25:28.699879885 CET4971225192.168.2.846.175.148.58
                                                  Jan 10, 2025 15:25:30.699879885 CET4971225192.168.2.846.175.148.58
                                                  Jan 10, 2025 15:25:31.731342077 CET4970925192.168.2.846.175.148.58
                                                  Jan 10, 2025 15:25:34.715496063 CET4971225192.168.2.846.175.148.58
                                                  Jan 10, 2025 15:25:39.732140064 CET4970925192.168.2.846.175.148.58
                                                  Jan 10, 2025 15:25:42.731157064 CET4971225192.168.2.846.175.148.58

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 10, 2025 15:25:24.404576063 CET5683153192.168.2.81.1.1.1
                                                  Jan 10, 2025 15:25:24.561182022 CET53568311.1.1.1192.168.2.8

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 10, 2025 15:25:24.404576063 CET192.168.2.81.1.1.10x8f86Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 10, 2025 15:25:24.561182022 CET1.1.1.1192.168.2.80x8f86No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:09:25:18
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\Desktop\kzy8qg5lbR.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\kzy8qg5lbR.exe"
                                                  Imagebase:0xaf0000
                                                  File size:942'184 bytes
                                                  MD5 hash:9C3DF8227BB53D5B57E8BC749442965A
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1536440135.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1536440135.0000000003EE9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:09:25:20
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\kzy8qg5lbR.exe"
                                                  Imagebase:0x3d0000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:09:25:20
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6ee680000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:5
                                                  Start time:09:25:21
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\DeQadQO.exe"
                                                  Imagebase:0x3d0000
                                                  File size:433'152 bytes
                                                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:6
                                                  Start time:09:25:21
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6ee680000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:09:25:21
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpD8B8.tmp"
                                                  Imagebase:0xab0000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:8
                                                  Start time:09:25:21
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6ee680000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:09:25:21
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\Desktop\kzy8qg5lbR.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\kzy8qg5lbR.exe"
                                                  Imagebase:0xbd0000
                                                  File size:942'184 bytes
                                                  MD5 hash:9C3DF8227BB53D5B57E8BC749442965A
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2768942453.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2765766310.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2765766310.0000000000435000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2768942453.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2768942453.0000000002E81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  General

                                                  Target ID:10
                                                  Start time:09:25:22
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\DeQadQO.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\AppData\Roaming\DeQadQO.exe
                                                  Imagebase:0xa60000
                                                  File size:942'184 bytes
                                                  MD5 hash:9C3DF8227BB53D5B57E8BC749442965A
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Avira
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 88%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:11
                                                  Start time:09:25:24
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                  Imagebase:0x7ff605670000
                                                  File size:496'640 bytes
                                                  MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                  Has elevated privileges:true
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:12
                                                  Start time:09:25:25
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DeQadQO" /XML "C:\Users\user\AppData\Local\Temp\tmpEA3C.tmp"
                                                  Imagebase:0xab0000
                                                  File size:187'904 bytes
                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:13
                                                  Start time:09:25:25
                                                  Start date:10/01/2025
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff6ee680000
                                                  File size:862'208 bytes
                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:14
                                                  Start time:09:25:26
                                                  Start date:10/01/2025
                                                  Path:C:\Users\user\AppData\Roaming\DeQadQO.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Roaming\DeQadQO.exe"
                                                  Imagebase:0xbb0000
                                                  File size:942'184 bytes
                                                  MD5 hash:9C3DF8227BB53D5B57E8BC749442965A
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2768568384.0000000002F8E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.2768568384.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.2768568384.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:10.9%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:224
                                                    Total number of Limit Nodes:21
                                                    execution_graph 22568 151d6e1 22569 151d6a4 DuplicateHandle 22568->22569 22570 151d6ea 22568->22570 22571 151d6b6 22569->22571 22370 7277060 22371 7276e62 22370->22371 22372 727706a 22370->22372 22376 72793b0 22372->22376 22392 72793c0 22372->22392 22373 72770d3 22377 72793da 22376->22377 22408 7279926 22377->22408 22417 7279af8 22377->22417 22426 7279839 22377->22426 22435 7279999 22377->22435 22440 7279dbf 22377->22440 22445 7279e52 22377->22445 22449 72797d4 22377->22449 22453 7279a36 22377->22453 22462 7279d40 22377->22462 22467 7279a63 22377->22467 22476 7279fa3 22377->22476 22480 7279ba3 22377->22480 22492 72798e3 22377->22492 22378 72793fe 22378->22373 22394 72793da 22392->22394 22393 72793fe 22393->22373 22395 7279926 4 API calls 22394->22395 22396 72798e3 4 API calls 22394->22396 22397 7279ba3 6 API calls 22394->22397 22398 7279fa3 2 API calls 22394->22398 22399 7279a63 4 API calls 22394->22399 22400 7279d40 2 API calls 22394->22400 22401 7279a36 4 API calls 22394->22401 22402 72797d4 2 API calls 22394->22402 22403 7279e52 2 API calls 22394->22403 22404 7279dbf 2 API calls 22394->22404 22405 7279999 2 API calls 22394->22405 22406 7279839 4 API calls 22394->22406 22407 7279af8 4 API calls 22394->22407 22395->22393 22396->22393 22397->22393 22398->22393 22399->22393 22400->22393 22401->22393 22402->22393 22403->22393 22404->22393 22405->22393 22406->22393 22407->22393 22409 727982f 22408->22409 22409->22378 22409->22408 22410 7279b98 22409->22410 22411 727a02a 22409->22411 22500 72760c0 22409->22500 22504 72760b9 22409->22504 22412 727a0ba 22410->22412 22508 7276740 22410->22508 22512 7276738 22410->22512 22411->22378 22412->22378 22418 727982f 22417->22418 22418->22378 22419 727a02a 22418->22419 22420 7279b98 22418->22420 22422 72760c0 ResumeThread 22418->22422 22423 72760b9 ResumeThread 22418->22423 22419->22378 22421 727a0ba 22420->22421 22424 7276740 WriteProcessMemory 22420->22424 22425 7276738 WriteProcessMemory 22420->22425 22421->22378 22422->22418 22423->22418 22424->22420 22425->22420 22428 727982f 22426->22428 22427 7279b98 22430 727a0ba 22427->22430 22433 7276740 WriteProcessMemory 22427->22433 22434 7276738 WriteProcessMemory 22427->22434 22428->22378 22428->22427 22429 727a02a 22428->22429 22431 72760c0 ResumeThread 22428->22431 22432 72760b9 ResumeThread 22428->22432 22429->22378 22430->22378 22431->22428 22432->22428 22433->22427 22434->22427 22436 727999f 22435->22436 22438 7276740 WriteProcessMemory 22436->22438 22439 7276738 WriteProcessMemory 22436->22439 22437 7279ecb 22438->22437 22439->22437 22441 7279b98 22440->22441 22441->22440 22442 727a0ba 22441->22442 22443 7276740 WriteProcessMemory 22441->22443 22444 7276738 WriteProcessMemory 22441->22444 22442->22378 22443->22441 22444->22441 22516 7276828 22445->22516 22520 7276830 22445->22520 22446 7279e74 22524 72769bc 22449->22524 22528 72769c8 22449->22528 22454 727982f 22453->22454 22454->22378 22455 727a02a 22454->22455 22456 7279b98 22454->22456 22458 72760c0 ResumeThread 22454->22458 22459 72760b9 ResumeThread 22454->22459 22455->22378 22457 727a0ba 22456->22457 22460 7276740 WriteProcessMemory 22456->22460 22461 7276738 WriteProcessMemory 22456->22461 22457->22378 22458->22454 22459->22454 22460->22456 22461->22456 22463 7279d49 22462->22463 22465 7276740 WriteProcessMemory 22463->22465 22466 7276738 WriteProcessMemory 22463->22466 22464 727a07b 22465->22464 22466->22464 22468 727982f 22467->22468 22468->22378 22469 727a02a 22468->22469 22470 7279b98 22468->22470 22474 72760c0 ResumeThread 22468->22474 22475 72760b9 ResumeThread 22468->22475 22469->22378 22469->22469 22471 727a0ba 22470->22471 22472 7276740 WriteProcessMemory 22470->22472 22473 7276738 WriteProcessMemory 22470->22473 22471->22378 22472->22470 22473->22470 22474->22468 22475->22468 22532 72765a0 22476->22532 22536 72765a8 22476->22536 22477 7279cff 22477->22476 22481 7279bb0 22480->22481 22482 727982f 22480->22482 22488 72765a0 Wow64SetThreadContext 22481->22488 22489 72765a8 Wow64SetThreadContext 22481->22489 22482->22378 22483 727a02a 22482->22483 22484 7279b98 22482->22484 22486 72760c0 ResumeThread 22482->22486 22487 72760b9 ResumeThread 22482->22487 22483->22378 22485 727a0ba 22484->22485 22490 7276740 WriteProcessMemory 22484->22490 22491 7276738 WriteProcessMemory 22484->22491 22485->22378 22486->22482 22487->22482 22488->22482 22489->22482 22490->22484 22491->22484 22493 72798e9 22492->22493 22540 727a448 22493->22540 22545 727a458 22493->22545 22494 7279903 22498 7276740 WriteProcessMemory 22494->22498 22499 7276738 WriteProcessMemory 22494->22499 22495 7279ecb 22498->22495 22499->22495 22501 7276100 ResumeThread 22500->22501 22503 7276131 22501->22503 22503->22409 22505 7276100 ResumeThread 22504->22505 22507 7276131 22505->22507 22507->22409 22509 7276788 WriteProcessMemory 22508->22509 22511 72767df 22509->22511 22511->22410 22513 7276788 WriteProcessMemory 22512->22513 22515 72767df 22513->22515 22515->22410 22517 727687b ReadProcessMemory 22516->22517 22519 72768bf 22517->22519 22519->22446 22521 727687b ReadProcessMemory 22520->22521 22523 72768bf 22521->22523 22523->22446 22525 7276a51 CreateProcessA 22524->22525 22527 7276c13 22525->22527 22529 7276a51 CreateProcessA 22528->22529 22531 7276c13 22529->22531 22533 72765ed Wow64SetThreadContext 22532->22533 22535 7276635 22533->22535 22535->22477 22537 72765ed Wow64SetThreadContext 22536->22537 22539 7276635 22537->22539 22539->22477 22541 727a46d 22540->22541 22550 7276679 22541->22550 22554 7276680 22541->22554 22542 727a48c 22542->22494 22546 727a46d 22545->22546 22548 7276680 VirtualAllocEx 22546->22548 22549 7276679 VirtualAllocEx 22546->22549 22547 727a48c 22547->22494 22548->22547 22549->22547 22551 72766c0 VirtualAllocEx 22550->22551 22553 72766fd 22551->22553 22553->22542 22555 72766c0 VirtualAllocEx 22554->22555 22557 72766fd 22555->22557 22557->22542 22558 151d3d8 22559 151d41e GetCurrentProcess 22558->22559 22561 151d470 GetCurrentThread 22559->22561 22562 151d469 22559->22562 22563 151d4a6 22561->22563 22564 151d4ad GetCurrentProcess 22561->22564 22562->22561 22563->22564 22565 151d4e3 22564->22565 22566 151d50b GetCurrentThreadId 22565->22566 22567 151d53c 22566->22567 22572 1514668 22573 151467a 22572->22573 22574 1514686 22573->22574 22578 1514778 22573->22578 22583 1514204 22574->22583 22576 15146a5 22579 151479d 22578->22579 22587 1514878 22579->22587 22591 1514888 22579->22591 22584 151420f 22583->22584 22599 1515c6c 22584->22599 22586 1516ff0 22586->22576 22589 1514882 22587->22589 22588 151498c 22588->22588 22589->22588 22595 15144e4 22589->22595 22593 15148af 22591->22593 22592 151498c 22592->22592 22593->22592 22594 15144e4 CreateActCtxA 22593->22594 22594->22592 22596 1515918 CreateActCtxA 22595->22596 22598 15159db 22596->22598 22600 1515c77 22599->22600 22603 1515c8c 22600->22603 22602 1517095 22602->22586 22604 1515c97 22603->22604 22607 1515cbc 22604->22607 22606 151717a 22606->22602 22608 1515cc7 22607->22608 22611 1515cec 22608->22611 22610 151726d 22610->22606 22612 1515cf7 22611->22612 22614 151856b 22612->22614 22617 151ac1a 22612->22617 22613 15185a9 22613->22610 22614->22613 22622 151cd15 22614->22622 22618 151ac25 22617->22618 22626 151ac50 22618->22626 22629 151ac40 22618->22629 22619 151ac2e 22619->22614 22623 151cd31 22622->22623 22624 151cd55 22623->22624 22638 151cec0 22623->22638 22624->22613 22633 151ad48 22626->22633 22627 151ac5f 22627->22619 22630 151ac50 22629->22630 22632 151ad48 GetModuleHandleW 22630->22632 22631 151ac5f 22631->22619 22632->22631 22634 151ad7c 22633->22634 22635 151ad59 22633->22635 22634->22627 22635->22634 22636 151af80 GetModuleHandleW 22635->22636 22637 151afad 22636->22637 22637->22627 22639 151cecd 22638->22639 22640 151cf07 22639->22640 22642 151b720 22639->22642 22640->22624 22643 151b72b 22642->22643 22645 151dc18 22643->22645 22646 151d024 22643->22646 22645->22645 22647 151d02f 22646->22647 22648 1515cec GetModuleHandleW 22647->22648 22649 151dc87 22648->22649 22649->22645 22650 727a578 22651 727a703 22650->22651 22653 727a59e 22650->22653 22653->22651 22654 72752e0 22653->22654 22655 727a7f8 PostMessageW 22654->22655 22656 727a864 22655->22656 22656->22653

                                                    Executed Functions

                                                    Function 07270E59 Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c4ec340e093ff69f18c52fa86da4c3b0e4ad8a8c939ab8eafe98755515194a08
                                                    • Instruction ID: fc36ce63a5c29ef49e04a89aa9243e90156835f650f0e0dbb38a9fdda3e34bdf
                                                    • Opcode Fuzzy Hash: c4ec340e093ff69f18c52fa86da4c3b0e4ad8a8c939ab8eafe98755515194a08
                                                    • Instruction Fuzzy Hash: F821C4B1D156188BEB28CFABCA453DEBEF6AFC9300F14C06AD50876264DB740946CF90
                                                    Function 07270E68 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8f131bb4d4b26249291c7a5b45323f535f7b30f0845581c1c9c7f23cdc0a673
                                                    • Instruction ID: bd22a9f321f6bef0b52178fae4e30e8f20f817b0abe6489b8ad4b68af83fdc9a
                                                    • Opcode Fuzzy Hash: f8f131bb4d4b26249291c7a5b45323f535f7b30f0845581c1c9c7f23cdc0a673
                                                    • Instruction Fuzzy Hash: 2D21B3B1D156198BEB28CFABC9443DEFAF6AFC9300F14C06AD50876264DBB40945CFA0
                                                    Function 0151D3C9 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0151D456
                                                    • GetCurrentThread.KERNEL32 ref: 0151D493
                                                    • GetCurrentProcess.KERNEL32 ref: 0151D4D0
                                                    • GetCurrentThreadId.KERNEL32 ref: 0151D529
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534599505.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1510000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 74eeb2001921244006f4ae1b51ad1228f19e53da375992e59e7b972f868a5142
                                                    • Instruction ID: a86ecafe4fbeb55b6649d4e1383259b87c49792d0d3c50388e22d67cdc9e7eff
                                                    • Opcode Fuzzy Hash: 74eeb2001921244006f4ae1b51ad1228f19e53da375992e59e7b972f868a5142
                                                    • Instruction Fuzzy Hash: 2B5176B0900609DFEB14CFAAD548BEEBBF1BF88304F248499D409AB391D7756944CB26
                                                    Function 0151D3D8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0151D456
                                                    • GetCurrentThread.KERNEL32 ref: 0151D493
                                                    • GetCurrentProcess.KERNEL32 ref: 0151D4D0
                                                    • GetCurrentThreadId.KERNEL32 ref: 0151D529
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534599505.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1510000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 747445543f0f12e6a3eee719be0aaaabc30fc58db0f7b6a5f112bf94516bb0ee
                                                    • Instruction ID: c0ddbc00956e9502365b8dc425c9c8ed9d29a69efc92d64c24002bc2537c06f0
                                                    • Opcode Fuzzy Hash: 747445543f0f12e6a3eee719be0aaaabc30fc58db0f7b6a5f112bf94516bb0ee
                                                    • Instruction Fuzzy Hash: D15165B0900709DFEB14CFAAD548BDEBBF1BF88304F248459D409AB3A1D7756984CB66
                                                    Function 072769BC Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 44 72769bc-7276a5d 46 7276a96-7276ab6 44->46 47 7276a5f-7276a69 44->47 54 7276aef-7276b1e 46->54 55 7276ab8-7276ac2 46->55 47->46 48 7276a6b-7276a6d 47->48 49 7276a90-7276a93 48->49 50 7276a6f-7276a79 48->50 49->46 52 7276a7d-7276a8c 50->52 53 7276a7b 50->53 52->52 56 7276a8e 52->56 53->52 63 7276b57-7276c11 CreateProcessA 54->63 64 7276b20-7276b2a 54->64 55->54 57 7276ac4-7276ac6 55->57 56->49 59 7276ae9-7276aec 57->59 60 7276ac8-7276ad2 57->60 59->54 61 7276ad6-7276ae5 60->61 62 7276ad4 60->62 61->61 65 7276ae7 61->65 62->61 75 7276c13-7276c19 63->75 76 7276c1a-7276ca0 63->76 64->63 66 7276b2c-7276b2e 64->66 65->59 68 7276b51-7276b54 66->68 69 7276b30-7276b3a 66->69 68->63 70 7276b3e-7276b4d 69->70 71 7276b3c 69->71 70->70 73 7276b4f 70->73 71->70 73->68 75->76 86 7276ca2-7276ca6 76->86 87 7276cb0-7276cb4 76->87 86->87 88 7276ca8 86->88 89 7276cb6-7276cba 87->89 90 7276cc4-7276cc8 87->90 88->87 89->90 91 7276cbc 89->91 92 7276cca-7276cce 90->92 93 7276cd8-7276cdc 90->93 91->90 92->93 96 7276cd0 92->96 94 7276cee-7276cf5 93->94 95 7276cde-7276ce4 93->95 97 7276cf7-7276d06 94->97 98 7276d0c 94->98 95->94 96->93 97->98 100 7276d0d 98->100 100->100
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07276BFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 515d475ed36e84f8fb76038799d51230240d0a13a7923c3a5dc3455d93fdd60b
                                                    • Instruction ID: 349335b722c4eff04e67e6658870ec8e3be155dc4cf04a067528cce3e498ad46
                                                    • Opcode Fuzzy Hash: 515d475ed36e84f8fb76038799d51230240d0a13a7923c3a5dc3455d93fdd60b
                                                    • Instruction Fuzzy Hash: 89914AB1D1062ACFEB20CFA8C9417EEBBB2FF49310F148569D858A7240DB759985CF91
                                                    Function 072769C8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 101 72769c8-7276a5d 103 7276a96-7276ab6 101->103 104 7276a5f-7276a69 101->104 111 7276aef-7276b1e 103->111 112 7276ab8-7276ac2 103->112 104->103 105 7276a6b-7276a6d 104->105 106 7276a90-7276a93 105->106 107 7276a6f-7276a79 105->107 106->103 109 7276a7d-7276a8c 107->109 110 7276a7b 107->110 109->109 113 7276a8e 109->113 110->109 120 7276b57-7276c11 CreateProcessA 111->120 121 7276b20-7276b2a 111->121 112->111 114 7276ac4-7276ac6 112->114 113->106 116 7276ae9-7276aec 114->116 117 7276ac8-7276ad2 114->117 116->111 118 7276ad6-7276ae5 117->118 119 7276ad4 117->119 118->118 122 7276ae7 118->122 119->118 132 7276c13-7276c19 120->132 133 7276c1a-7276ca0 120->133 121->120 123 7276b2c-7276b2e 121->123 122->116 125 7276b51-7276b54 123->125 126 7276b30-7276b3a 123->126 125->120 127 7276b3e-7276b4d 126->127 128 7276b3c 126->128 127->127 130 7276b4f 127->130 128->127 130->125 132->133 143 7276ca2-7276ca6 133->143 144 7276cb0-7276cb4 133->144 143->144 145 7276ca8 143->145 146 7276cb6-7276cba 144->146 147 7276cc4-7276cc8 144->147 145->144 146->147 148 7276cbc 146->148 149 7276cca-7276cce 147->149 150 7276cd8-7276cdc 147->150 148->147 149->150 153 7276cd0 149->153 151 7276cee-7276cf5 150->151 152 7276cde-7276ce4 150->152 154 7276cf7-7276d06 151->154 155 7276d0c 151->155 152->151 153->150 154->155 157 7276d0d 155->157 157->157
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07276BFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 8db98b4429219ca9a101c475846937bff2ccff260b8a6dc5f1e8d8d278c12df1
                                                    • Instruction ID: 5f1d1694cc30cc19b9b6c9eab2c266279dc1c621e567b2a6ad38f24df93a662f
                                                    • Opcode Fuzzy Hash: 8db98b4429219ca9a101c475846937bff2ccff260b8a6dc5f1e8d8d278c12df1
                                                    • Instruction Fuzzy Hash: A5914AB1D1061ACFEB20CFA9C9417DEBBB2FF45310F148569D808A7240DB759985CF91
                                                    Function 0151AD48 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 158 151ad48-151ad57 159 151ad83-151ad87 158->159 160 151ad59-151ad66 call 151a0a0 158->160 161 151ad89-151ad93 159->161 162 151ad9b-151addc 159->162 167 151ad68 160->167 168 151ad7c 160->168 161->162 169 151ade9-151adf7 162->169 170 151adde-151ade6 162->170 215 151ad6e call 151afd0 167->215 216 151ad6e call 151afe0 167->216 168->159 171 151adf9-151adfe 169->171 172 151ae1b-151ae1d 169->172 170->169 176 151ae00-151ae07 call 151a0ac 171->176 177 151ae09 171->177 175 151ae20-151ae27 172->175 173 151ad74-151ad76 173->168 174 151aeb8-151af34 173->174 208 151af60-151af78 174->208 209 151af36-151af5e 174->209 179 151ae34-151ae3b 175->179 180 151ae29-151ae31 175->180 178 151ae0b-151ae19 176->178 177->178 178->175 182 151ae48-151ae4a call 151a0bc 179->182 183 151ae3d-151ae45 179->183 180->179 187 151ae4f-151ae51 182->187 183->182 189 151ae53-151ae5b 187->189 190 151ae5e-151ae63 187->190 189->190 191 151ae81-151ae8e 190->191 192 151ae65-151ae6c 190->192 198 151aeb1-151aeb7 191->198 199 151ae90-151aeae 191->199 192->191 194 151ae6e-151ae7e call 151a0cc call 151a0dc 192->194 194->191 199->198 210 151af80-151afab GetModuleHandleW 208->210 211 151af7a-151af7d 208->211 209->208 212 151afb4-151afc8 210->212 213 151afad-151afb3 210->213 211->210 213->212 215->173 216->173
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0151AF9E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534599505.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1510000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 62df8e720abdb7c07c42d0191c2b228fad59f575bab7b912c69e33659715cace
                                                    • Instruction ID: a6685376e64aa36d3ba206b29c5e33aa2809c78639b0589b27b65e936539144e
                                                    • Opcode Fuzzy Hash: 62df8e720abdb7c07c42d0191c2b228fad59f575bab7b912c69e33659715cace
                                                    • Instruction Fuzzy Hash: C8816970A01B458FE726DF6AD04479ABBF1FF88304F008A2DD44ADBA54D775E846CB90
                                                    Function 015144E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 217 15144e4-15159d9 CreateActCtxA 220 15159e2-1515a3c 217->220 221 15159db-15159e1 217->221 228 1515a4b-1515a4f 220->228 229 1515a3e-1515a41 220->229 221->220 230 1515a51-1515a5d 228->230 231 1515a60 228->231 229->228 230->231 233 1515a61 231->233 233->233
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 015159C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534599505.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1510000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 7381c721664a25e54988e85aae0233c16161610fd2ef83b482f2a90f8944bc91
                                                    • Instruction ID: 6419068fa68a42caa5608ff15ada011cd04f744c96289229369c1d7fd0093324
                                                    • Opcode Fuzzy Hash: 7381c721664a25e54988e85aae0233c16161610fd2ef83b482f2a90f8944bc91
                                                    • Instruction Fuzzy Hash: 0641E370C00719CFEB25CFAAC844B8EBBF5BF86704F24846AD408AB255DB716945CF50
                                                    Function 07276738 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 234 7276738-727678e 236 7276790-727679c 234->236 237 727679e-72767dd WriteProcessMemory 234->237 236->237 239 72767e6-7276816 237->239 240 72767df-72767e5 237->240 240->239
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072767D0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 5535455e4b80edcbe7cacd252a08bc778ca3a5400a9721d985ac811312a4c72e
                                                    • Instruction ID: f1f52db0436a14f6054de672a81d0cf25037da0d2c400c34154362dd3a1da5a6
                                                    • Opcode Fuzzy Hash: 5535455e4b80edcbe7cacd252a08bc778ca3a5400a9721d985ac811312a4c72e
                                                    • Instruction Fuzzy Hash: 1F2135B6D103099FDB10CFA9C981BEEBBF4FF48310F14882AE918A7241C7789551CBA0
                                                    Function 07276740 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 244 7276740-727678e 246 7276790-727679c 244->246 247 727679e-72767dd WriteProcessMemory 244->247 246->247 249 72767e6-7276816 247->249 250 72767df-72767e5 247->250 250->249
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072767D0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: 3bf7f8b87cf97b4224c8f5c2c61a769f2930a82e5f741c1a2ae3a9f5908b2156
                                                    • Instruction ID: 92dffe95ff483f8ed9fa12cd10642355689c9aae756e2b2dcb26aa7500ea6781
                                                    • Opcode Fuzzy Hash: 3bf7f8b87cf97b4224c8f5c2c61a769f2930a82e5f741c1a2ae3a9f5908b2156
                                                    • Instruction Fuzzy Hash: 022125B5900359DFDB10CFAAC981BDEBBF5FF48310F14882AE918A7240C7789955CBA4
                                                    Function 072765A0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 259 72765a0-72765f3 261 72765f5-7276601 259->261 262 7276603-7276633 Wow64SetThreadContext 259->262 261->262 264 7276635-727663b 262->264 265 727663c-727666c 262->265 264->265
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07276626
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 471420370b292fdc2654b0260e480301b207433956f8862f9e01c111f43bcc25
                                                    • Instruction ID: dc0e94472df7c336250fbbbc32fad17867b4fe2f3b01c8ec33929620edaf49b6
                                                    • Opcode Fuzzy Hash: 471420370b292fdc2654b0260e480301b207433956f8862f9e01c111f43bcc25
                                                    • Instruction Fuzzy Hash: F72177B1D0030A8FDB10DFAAC9857EEBBF4AF48210F14882ED419A7341C7789945CFA1
                                                    Function 07276828 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 269 7276828-72768bd ReadProcessMemory 272 72768c6-72768f6 269->272 273 72768bf-72768c5 269->273 273->272
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072768B0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: a5902bc03469d995c4f5040278a5b4fbbfafd445cc2c4121aad157c6b5536259
                                                    • Instruction ID: 6fcd2a694235e0b60d5d0cf75528a6f21e8343301d9c25f4945e71da8218bccc
                                                    • Opcode Fuzzy Hash: a5902bc03469d995c4f5040278a5b4fbbfafd445cc2c4121aad157c6b5536259
                                                    • Instruction Fuzzy Hash: 252114B2C01349DFDB10CFAAC981BEEBBF5BF48310F14882AE559A7250C7399555DBA0
                                                    Function 0151D619 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 254 151d619-151d6b4 DuplicateHandle 255 151d6b6-151d6bc 254->255 256 151d6bd-151d6da 254->256 255->256
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151D6A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534599505.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1510000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 8510c34377e6acf17d280784dda1ca2cf1bc1044646f4d0091b39bdd719c50aa
                                                    • Instruction ID: b3fc19ab212bb772b8a17272cd57e7fceb5238ff588a019e7c426c88a42fafff
                                                    • Opcode Fuzzy Hash: 8510c34377e6acf17d280784dda1ca2cf1bc1044646f4d0091b39bdd719c50aa
                                                    • Instruction Fuzzy Hash: A421E5B5900248DFDB10CFAAD484ADEBFF5FB48310F24841AE958A7310C3799945CF65
                                                    Function 072765A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 277 72765a8-72765f3 279 72765f5-7276601 277->279 280 7276603-7276633 Wow64SetThreadContext 277->280 279->280 282 7276635-727663b 280->282 283 727663c-727666c 280->283 282->283
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07276626
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 71b61b90e39b1a959927a77f5bebeb13f8cb69160f7063f2de42eef940f82b63
                                                    • Instruction ID: 8238c91603e7945a326bdcfb1caa11b1abca60b92976c862d04975f2ef56180f
                                                    • Opcode Fuzzy Hash: 71b61b90e39b1a959927a77f5bebeb13f8cb69160f7063f2de42eef940f82b63
                                                    • Instruction Fuzzy Hash: 432135B1D003099FDB10DFAAC985BAEBBF4AF48210F54842ED419A7241CB789945CFA5
                                                    Function 07276830 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 287 7276830-72768bd ReadProcessMemory 290 72768c6-72768f6 287->290 291 72768bf-72768c5 287->291 291->290
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072768B0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: be05c5bf56db26c4d7ce55de2f516fb1593c9604fc069d10528fb724de5d5c18
                                                    • Instruction ID: eed44bc2f059509eed76c410018be162cb17404745e2d71ccba52ce88ceff8ec
                                                    • Opcode Fuzzy Hash: be05c5bf56db26c4d7ce55de2f516fb1593c9604fc069d10528fb724de5d5c18
                                                    • Instruction Fuzzy Hash: 732105B1C003499FDB10CFAAC840AEEBBF5BF48310F14842AE518A7240C7799545CBA5
                                                    Function 0151D620 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 295 151d620-151d6b4 DuplicateHandle 296 151d6b6-151d6bc 295->296 297 151d6bd-151d6da 295->297 296->297
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151D6A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534599505.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1510000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 0d3fd9b77f3bd19d16e2290361ff12cd603d0d2c7d40ec7b2fc714077c6416cb
                                                    • Instruction ID: 3164e43a0b94b0730d86e88623ceb524c1bf870f3c7f93d3a31a3262a8ad1b7a
                                                    • Opcode Fuzzy Hash: 0d3fd9b77f3bd19d16e2290361ff12cd603d0d2c7d40ec7b2fc714077c6416cb
                                                    • Instruction Fuzzy Hash: BA21C4B5900248EFDB10CFAAD884ADEFBF8FB48710F14841AE918A7350D378A954CF65
                                                    Function 07276679 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 300 7276679-72766fb VirtualAllocEx 303 7276704-7276729 300->303 304 72766fd-7276703 300->304 304->303
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072766EE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: c0b3ac3a612c833832e5db57c5b41ff7a7e8df653eb54079a18fd0eaa9408e58
                                                    • Instruction ID: c20bd3c9be65bffa3fb5e63182aeeb1c459b1b899a184322110f8be9172d4964
                                                    • Opcode Fuzzy Hash: c0b3ac3a612c833832e5db57c5b41ff7a7e8df653eb54079a18fd0eaa9408e58
                                                    • Instruction Fuzzy Hash: CD1167B2800749DFDB10DFAAD945BDEBBF5EF48320F24881AD519A7250C7399901CFA0
                                                    Function 07276680 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 072766EE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: fc272feec94f982cfccca948965381368a6e3e03231450a1521213e41d60318e
                                                    • Instruction ID: e600d0658f0fc38afa5870b32b390d42d562a982f024bae2e86a7075a0d0a6dd
                                                    • Opcode Fuzzy Hash: fc272feec94f982cfccca948965381368a6e3e03231450a1521213e41d60318e
                                                    • Instruction Fuzzy Hash: 9D112671800349DFDB10DFAAC845BDEBBF5EB48320F148819E519A7250C7759540CBA1
                                                    Function 072760B9 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: b661369fc442ca81b08cbdf392d3724109736f08b7566313b4bcf8ef664d5bee
                                                    • Instruction ID: a37946e39b41178c65d88d2395e2e3805abb2607994781fa18ded6c104207153
                                                    • Opcode Fuzzy Hash: b661369fc442ca81b08cbdf392d3724109736f08b7566313b4bcf8ef664d5bee
                                                    • Instruction Fuzzy Hash: D31158B1D007498FDB14CFAAC54579EFBF4AB48210F24881AC419A7340C7395901CF94
                                                    Function 072760C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 957516e6a8fdd60562bd444c113ffeecb1376a22acd2a57047b554e954f45374
                                                    • Instruction ID: a18e7bdaad5fa9eeeefacb8a0b8158429fe17a8036aceaac06229011ade94d49
                                                    • Opcode Fuzzy Hash: 957516e6a8fdd60562bd444c113ffeecb1376a22acd2a57047b554e954f45374
                                                    • Instruction Fuzzy Hash: 35116AB1D003498FDB20DFAAC84479FFBF4AB88210F248819C419A7340C7756500CFA4
                                                    Function 072752E0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0727A855
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 6043ecff4bf43441a48814853561b9c0398fad904cf26d2e0b0c74eb564e93c6
                                                    • Instruction ID: 26aee4c9a187615b16e0d5fc8a02eab435036ede223372c28f9dce7197d44737
                                                    • Opcode Fuzzy Hash: 6043ecff4bf43441a48814853561b9c0398fad904cf26d2e0b0c74eb564e93c6
                                                    • Instruction Fuzzy Hash: C111F2B5800749DFDB10CF9AC989BDEBBF8EB48320F108819E918A7210C375A945CFA5
                                                    Function 0151AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0151AF9E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534599505.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1510000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 0ce5dac7e3a770bdfd45de6129d0488b6b2717aebc94898cc99bb2f22251e0e9
                                                    • Instruction ID: 3d9429473fe62d89271079e147d701656188960870938ee55b56bf7bebc280a4
                                                    • Opcode Fuzzy Hash: 0ce5dac7e3a770bdfd45de6129d0488b6b2717aebc94898cc99bb2f22251e0e9
                                                    • Instruction Fuzzy Hash: 8E1110B5C007498FEB15CF9AD444BDEFBF4AB88324F10841AD828A7254C379A545CFA1
                                                    Function 0727A7F0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 0727A855
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: e1a701ccc5b01d6ee22772c21c57af811566f1f4e39b89fc19e07296d2f4174f
                                                    • Instruction ID: 6326b7256bcf63c30afb98e91165dcd260a0ce36f2dc1aaa7b48cf4fd4d4a7fc
                                                    • Opcode Fuzzy Hash: e1a701ccc5b01d6ee22772c21c57af811566f1f4e39b89fc19e07296d2f4174f
                                                    • Instruction Fuzzy Hash: 861103B6C00749DFDB10CF9AC985BDEBBF8EB08320F14881AD518A7210C379A545CFA1
                                                    Function 0151D6E1 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0151D6A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534599505.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1510000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: a6e3a08d1b22d39a4ed4f5ed0fa1952fb7ecee18b05f9f9cb640eab4d3432217
                                                    • Instruction ID: 8316a01c6ee1c18daa4737a991ed6bc8dde0f6e982f468eceed09eb16353e18e
                                                    • Opcode Fuzzy Hash: a6e3a08d1b22d39a4ed4f5ed0fa1952fb7ecee18b05f9f9cb640eab4d3432217
                                                    • Instruction Fuzzy Hash: 56E0ED37905348CFEB129BA8E408389BBF19F84220F288853C299EB651C2399804CB92
                                                    Function 014BD4C4 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534182816.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14bd000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 19684585740139d7673bf5e4287c2f5eadd6ca75579d5f95b558632caf6cbc7e
                                                    • Instruction ID: 2a8de6bc076b85798f0f8f4341554382414bbca1764ee4d3a15c0a8eac5628e0
                                                    • Opcode Fuzzy Hash: 19684585740139d7673bf5e4287c2f5eadd6ca75579d5f95b558632caf6cbc7e
                                                    • Instruction Fuzzy Hash: 04212871900244EFDB15DF54D9C0B67BF65FB8831CF24C5AAE8090B266C336D456CAB2
                                                    Function 014CD01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534227698.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14cd000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e8bcb696a191de804787e1a08237e4eededd942190e2b7200503a13a938e9d53
                                                    • Instruction ID: 4288c28cc66286266d1cd843e6c1e726c645b3bc71372acb128db328e9652f68
                                                    • Opcode Fuzzy Hash: e8bcb696a191de804787e1a08237e4eededd942190e2b7200503a13a938e9d53
                                                    • Instruction Fuzzy Hash: 572106B9904204DFDB55DF59D880B16BB61FB84618F20C57ED80A0B366C336D407CAA2
                                                    Function 014CD1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534227698.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14cd000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: afa97f8106dc425c416b40517287155286b0605e3c781fda7d3c644cf4ff56d8
                                                    • Instruction ID: d3efac7169cddd38bea7b687446444a14b36b596d6a7e91d6abc17725dbe26a3
                                                    • Opcode Fuzzy Hash: afa97f8106dc425c416b40517287155286b0605e3c781fda7d3c644cf4ff56d8
                                                    • Instruction Fuzzy Hash: 54214979904304EFDB41DF94D9C0B26BB62FB84B24F20C57EE8094B362C336D406CAA2
                                                    Function 014CD006 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534227698.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14cd000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cecbaa34ea22dfaf0e3393bdc5e7c8c29ba2989f6badcc92bc5cbf88a5955f13
                                                    • Instruction ID: b63a58fed240242854baad0dcbee472c0921bac407a8cff31edaa5076696235d
                                                    • Opcode Fuzzy Hash: cecbaa34ea22dfaf0e3393bdc5e7c8c29ba2989f6badcc92bc5cbf88a5955f13
                                                    • Instruction Fuzzy Hash: C72183755093809FC712CF24D994716BF71EB46214F28C5EFD8498F667C33A980ACBA2
                                                    Function 014BD4BF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534182816.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14bd000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                    • Instruction ID: 484fe1c267e4961d1db2b8befc840dc0f7594433b1a045ef99a5ab11b4245b54
                                                    • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                    • Instruction Fuzzy Hash: F611B176904280DFCB16CF54D9C4B56BF71FB84318F24C6AAD8490B667C33AD456CBA2
                                                    Function 014CD1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534227698.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14cd000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                    • Instruction ID: ae09bf3267b9ec27f54ff78a33081edb0a484be7b0623e332ffdbda833cb5a87
                                                    • Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                    • Instruction Fuzzy Hash: B411AC79904240DFCB02CF54C9C0B16BB62FB84624F24C6AED8494B766C33AD44ACB92
                                                    Function 014BD759 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534182816.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14bd000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 276a556d696346d7464b88d6433214db8b675da2a2ebe1c57e486f3126656fe5
                                                    • Instruction ID: c54d3b5d3de4b15dcb19db69bbb90c6e681796506529215437c789fc4931b662
                                                    • Opcode Fuzzy Hash: 276a556d696346d7464b88d6433214db8b675da2a2ebe1c57e486f3126656fe5
                                                    • Instruction Fuzzy Hash: BB01AC71804384ABE7104AA9DCC47D7BBD8EF41624F188597DD090A356C3799441C6B2
                                                    Function 014BD758 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534182816.00000000014BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014BD000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_14bd000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: afb28717b471bdac58ea16c5b878c27468d05fe0c9236253475be31acc6dd001
                                                    • Instruction ID: 47d089af2d09b78a9fc3262ee7f50bb01a9e6ede6ac68c4951d57d4a8b674898
                                                    • Opcode Fuzzy Hash: afb28717b471bdac58ea16c5b878c27468d05fe0c9236253475be31acc6dd001
                                                    • Instruction Fuzzy Hash: 4AF06271404384AEE7108A5ADCC4BA3FFE8EF41734F18C59AED084A397C2799844CAB1

                                                    Non-executed Functions

                                                    Function 07276170 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: bi
                                                    • API String ID: 0-1891080015
                                                    • Opcode ID: a840456eecb6dfb1cd552d209e3fdfaa22bd81665fc548bbd18f661b349e4afe
                                                    • Instruction ID: 9befd85084c52a43da7ff8d73480e9a957b7bf37d8b8acc101bdb928a1e48c3a
                                                    • Opcode Fuzzy Hash: a840456eecb6dfb1cd552d209e3fdfaa22bd81665fc548bbd18f661b349e4afe
                                                    • Instruction Fuzzy Hash: 98E11BB4E106198FDB14DF99C580AAEFBF2BF89305F248169D815AB359D730AD41CFA0
                                                    Function 07276160 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: bi
                                                    • API String ID: 0-1891080015
                                                    • Opcode ID: a7eed0eb2881a5c14f687de1a32e1c7548a3ac39f4316a49f26b8c0816ad72c2
                                                    • Instruction ID: 9c57329eb481dae31a1e6a78a2cabdd7155aa6b0fc33d3dbea279eadc7b499a3
                                                    • Opcode Fuzzy Hash: a7eed0eb2881a5c14f687de1a32e1c7548a3ac39f4316a49f26b8c0816ad72c2
                                                    • Instruction Fuzzy Hash: 11512AB4E106198FDB14DFA9C5805AEBBF2BF89201F248169D418AB255D7309942CFA5
                                                    Function 0727C678 Relevance: .4, Instructions: 351COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 935d973652525b79c001729163a8fadcbd33bbe1836d8bc4ddb00187c7b73475
                                                    • Instruction ID: 462ec0c7ce95a04fc86680453b365746afa29927e1a713f31018c6f3b58b4a79
                                                    • Opcode Fuzzy Hash: 935d973652525b79c001729163a8fadcbd33bbe1836d8bc4ddb00187c7b73475
                                                    • Instruction Fuzzy Hash: 5AD1CAB17113468FEB2AEB75C560B6EB7FAAF89600F10846DC106DB294DB34E941CB61
                                                    Function 07274628 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 10f48fbf5d9d989de78ed4e79cfa00f20476308905e4158a425f545b358da2ed
                                                    • Instruction ID: aeff2c83ae000e71539de58e455352108ef3158235fd8984221f1713483f09f1
                                                    • Opcode Fuzzy Hash: 10f48fbf5d9d989de78ed4e79cfa00f20476308905e4158a425f545b358da2ed
                                                    • Instruction Fuzzy Hash: 28E12CB4E102698FDB14DFA9C580AAEFBF2BF89305F248169D815AB355D7309D41CFA0
                                                    Function 07273DB8 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dc6b8f9cde0fc046e70bf0312286e6f26bbbc873ae1ea88745c767c0866a0315
                                                    • Instruction ID: c88b00b8ca04b042b5a2e53c785f700a96a834c97230955a2b7e776a920e4d21
                                                    • Opcode Fuzzy Hash: dc6b8f9cde0fc046e70bf0312286e6f26bbbc873ae1ea88745c767c0866a0315
                                                    • Instruction Fuzzy Hash: D7E11AB4E102598FDB14DFA9C580AAEBBF2FF89305F248159E814AB355D731AD41CFA0
                                                    Function 07273980 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f59e895ab1c30530b29c408cae4091903e1eec1daf1713442797fe3b32549509
                                                    • Instruction ID: 012b69aec5109d4a6da4f1f7c204ddf82736605a4e10360cb00365c65e5e136f
                                                    • Opcode Fuzzy Hash: f59e895ab1c30530b29c408cae4091903e1eec1daf1713442797fe3b32549509
                                                    • Instruction Fuzzy Hash: 8EE119B4E102598FDB14DF99C580AAEFBF2BF89305F248159D815AB35AD730AD41CFA0
                                                    Function 072741F0 Relevance: .3, Instructions: 312COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bd6a1d2a34741ba04e1f4e38449172ff46ed92621d2a8ccf85d8e20314cf51cc
                                                    • Instruction ID: 5be292db89b77b72d4f7b3bf31a3ae1ce5074e5f673010cf39f325d87f9432aa
                                                    • Opcode Fuzzy Hash: bd6a1d2a34741ba04e1f4e38449172ff46ed92621d2a8ccf85d8e20314cf51cc
                                                    • Instruction Fuzzy Hash: 69E109B4E102598FDB14DFA9C5809AEBBF2BF89305F248169E815AB355D730AD41CFA0
                                                    Function 0151D304 Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1534599505.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_1510000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5915e06ceef773f1d16d62872b36708c5e16848c07172a98b6fe3e3a81163dee
                                                    • Instruction ID: 0574f9af69624aa72f16d3a14e1bc77d7ce36aec5d215220c812c7265a55a9d9
                                                    • Opcode Fuzzy Hash: 5915e06ceef773f1d16d62872b36708c5e16848c07172a98b6fe3e3a81163dee
                                                    • Instruction Fuzzy Hash: 2BA19236E00216CFDF16DFB5C84059EBBB2FF84300B15856AE906AF265DB71E95ACB40
                                                    Function 07274618 Relevance: .1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1554121405.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_7270000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ac78aae73a996befe2aa2fa3d13a59ad2c5d3fda7004a047288d64c917c824b
                                                    • Instruction ID: 8ca8d6903b2300f248565cdf23f0c0fe2f261e534092d3ce6849016683efe9dc
                                                    • Opcode Fuzzy Hash: 9ac78aae73a996befe2aa2fa3d13a59ad2c5d3fda7004a047288d64c917c824b
                                                    • Instruction Fuzzy Hash: F8512AB5E1026A8FDB14DFA9C5805AEFBF2BF89301F24C169D818AB355D7319941CFA0

                                                    Execution Graph

                                                    Execution Coverage:11.6%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:3
                                                    Total number of Limit Nodes:0
                                                    execution_graph 25629 63ae280 25630 63ae2c6 GlobalMemoryStatusEx 25629->25630 25631 63ae2f6 25630->25631

                                                    Executed Functions

                                                    Function 013B9B38 Relevance: 2.8, Instructions: 2817COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d29ef3e31a5e22a46e776a9d89a069d659b6ff3fe78462037cd4374d789f3339
                                                    • Instruction ID: da8375f2c4ead1363b035e37135073865a521d320c49a2f11a27ee766241339d
                                                    • Opcode Fuzzy Hash: d29ef3e31a5e22a46e776a9d89a069d659b6ff3fe78462037cd4374d789f3339
                                                    • Instruction Fuzzy Hash: F553E531C10B1A8ADB51EB68C8845E9F7B1FF99300F51D79AE45877121FB70AAD4CB81
                                                    Function 013BCDB0 Relevance: 2.3, Instructions: 2317COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1008f752f3862cec7282999af59558070a23094758bd97c347b674c42d242fcd
                                                    • Instruction ID: 18215a79ef1bcc077278cc3b81d3cbab5ec268b88f3dc280d6e2eeef41cfd839
                                                    • Opcode Fuzzy Hash: 1008f752f3862cec7282999af59558070a23094758bd97c347b674c42d242fcd
                                                    • Instruction Fuzzy Hash: D6333C31D1071A8ADB11EF68C8846EDF7B1FF89304F14D69AE549A7211FB70AAC5CB81
                                                    Function 013B9364 Relevance: .4, Instructions: 392COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29449a008995dc18788d00490c494de3dcd115d440b7f4f4f4f90e549967700f
                                                    • Instruction ID: dc55ad7dd09c28ada43742f0f3ed3767202b0f2e86583623ca7efc484352d676
                                                    • Opcode Fuzzy Hash: 29449a008995dc18788d00490c494de3dcd115d440b7f4f4f4f90e549967700f
                                                    • Instruction Fuzzy Hash: EBE17F74B002148FDB15DF69D894BAEBBF2EF89318F104529E606EB751EA35ED41CB80
                                                    Function 013B96E0 Relevance: .4, Instructions: 358COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 3663 13b96e0-13b96fa 3664 13b96fc-13b96ff 3663->3664 3665 13b9701-13b9704 3664->3665 3666 13b9716-13b9719 3664->3666 3669 13b970a-13b9711 3665->3669 3670 13b9882-13b9892 3665->3670 3667 13b971b-13b9734 3666->3667 3668 13b9739-13b973c 3666->3668 3667->3668 3671 13b974e-13b9751 3668->3671 3672 13b973e 3668->3672 3669->3666 3679 13b9896-13b98fb 3670->3679 3680 13b9894 3670->3680 3674 13b975d-13b9760 3671->3674 3675 13b9753-13b9756 3671->3675 3677 13b9747-13b9749 3672->3677 3681 13b9762-13b977b 3674->3681 3682 13b9780-13b9783 3674->3682 3675->3665 3678 13b9758 3675->3678 3677->3671 3678->3674 3721 13b9a12-13b9a19 3679->3721 3722 13b9901-13b9903 3679->3722 3680->3679 3681->3682 3683 13b979f-13b97a2 3682->3683 3684 13b9785-13b9794 3682->3684 3686 13b97a8-13b97ab 3683->3686 3687 13b9877-13b9881 3683->3687 3695 13b979a 3684->3695 3696 13b983d-13b9859 3684->3696 3691 13b97ad-13b97cc 3686->3691 3692 13b97d7-13b97da 3686->3692 3706 13b985f-13b9860 3691->3706 3707 13b97d2 3691->3707 3697 13b97dc-13b97ef 3692->3697 3698 13b97f4-13b97f7 3692->3698 3695->3683 3697->3698 3698->3675 3699 13b97fd-13b9800 3698->3699 3704 13b9802-13b9804 3699->3704 3705 13b9807-13b980a 3699->3705 3704->3705 3709 13b982b-13b982e 3705->3709 3710 13b980c-13b9826 3705->3710 3708 13b9865-13b9867 3706->3708 3707->3692 3714 13b9869 3708->3714 3715 13b986e-13b9871 3708->3715 3716 13b9838-13b983b 3709->3716 3717 13b9830-13b9833 3709->3717 3710->3709 3714->3715 3715->3664 3715->3687 3716->3696 3719 13b985a-13b985d 3716->3719 3717->3716 3719->3706 3719->3708 3764 13b9906 call 13b968e 3722->3764 3765 13b9906 call 13b9490 3722->3765 3766 13b9906 call 13b96e0 3722->3766 3767 13b9906 call 13b9364 3722->3767 3724 13b990c-13b9918 3726 13b991a-13b9921 3724->3726 3727 13b9923-13b992a 3724->3727 3726->3727 3728 13b992b-13b9952 3726->3728 3732 13b995c-13b9963 3728->3732 3733 13b9954-13b995b 3728->3733 3734 13b9a1a-13b9a4b 3732->3734 3735 13b9969-13b996d 3732->3735 3739 13b9a4d-13b9a4f 3734->3739 3736 13b996f-13b9976 3735->3736 3737 13b9977-13b99f6 3735->3737 3747 13b99f8-13b99ff 3737->3747 3748 13b9a06-13b9a0c call 13b9b38 3737->3748 3741 13b9a51 3739->3741 3742 13b9a56-13b9a59 3739->3742 3741->3742 3742->3739 3743 13b9a5b-13b9a97 call 13b0368 3742->3743 3752 13b9a99-13b9a9b 3743->3752 3753 13b9a9f-13b9aa2 3743->3753 3747->3748 3748->3721 3754 13b9ae9 3752->3754 3755 13b9a9d 3752->3755 3753->3754 3756 13b9aa4-13b9ace 3753->3756 3758 13b9aee-13b9af2 3754->3758 3755->3756 3763 13b9ad4-13b9ae7 3756->3763 3759 13b9afd 3758->3759 3760 13b9af4 3758->3760 3760->3759 3763->3758 3764->3724 3765->3724 3766->3724 3767->3724
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6a2ac363b9af3018ddf234941e0dbb46c4373f14ef372e2cb60923510ce1dc6a
                                                    • Instruction ID: 2efd554194b0fc4f2c47527f7263568d2352dee9c5de268b5625fbee87c69306
                                                    • Opcode Fuzzy Hash: 6a2ac363b9af3018ddf234941e0dbb46c4373f14ef372e2cb60923510ce1dc6a
                                                    • Instruction Fuzzy Hash: 92C1AF70A002058FDB14DF6DD8807AEBBB5FF88318F208569E609EB791E731D841CB90
                                                    Function 013B41C8 Relevance: .3, Instructions: 281COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 34277ffa2f642064b86d9942a326b92e1bf2b8f61b51f0331aca9659f1bf2f24
                                                    • Instruction ID: 1809af7327b4f9c25146226decd0f5b5d3f5e2a6976eb65817f53ef155a69492
                                                    • Opcode Fuzzy Hash: 34277ffa2f642064b86d9942a326b92e1bf2b8f61b51f0331aca9659f1bf2f24
                                                    • Instruction Fuzzy Hash: A7B16070E00209CFDF14CFA9D8857EEBBF2BF88318F148129D51AAB655EB349851CB55
                                                    Function 013B4A98 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e3b5a209898ab7ab80ccfc25a0ec4f4943bdd7a8cfe0238d44ac339253677551
                                                    • Instruction ID: 64c8963a10237486b858d9982ae9da35400967ff87efa04601d308253341eea4
                                                    • Opcode Fuzzy Hash: e3b5a209898ab7ab80ccfc25a0ec4f4943bdd7a8cfe0238d44ac339253677551
                                                    • Instruction Fuzzy Hash: 35B16B70E00209DFDF10CFA8D8817EDBBF2AF88718F148129DA16EB655EB349845CB85
                                                    Function 013B3E80 Relevance: .2, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 610152d8ede836d6282e973d8e93446d7bc4b25714d09b9082f551233ff3ac2a
                                                    • Instruction ID: 5d94da1d270e79c9fc9bad2b7acb9002ffda12493bb27a1de83b1a4e92b8e3b4
                                                    • Opcode Fuzzy Hash: 610152d8ede836d6282e973d8e93446d7bc4b25714d09b9082f551233ff3ac2a
                                                    • Instruction Fuzzy Hash: 20917B70E00209DFDF14CFA9D8857EEBBF2BF88318F148129E505AB694EB749845CB95
                                                    Function 063AE278 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1360 63ae278-63ae27c 1361 63ae27e-63ae2be 1360->1361 1362 63ae245-63ae266 1360->1362 1365 63ae2c6-63ae2f4 GlobalMemoryStatusEx 1361->1365 1368 63ae2fd-63ae325 1365->1368 1369 63ae2f6-63ae2fc 1365->1369 1369->1368
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 063AE2E7
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2777516696.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_63a0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: 2b81fc769cc70645a5362f3f51d13801ec6eaaca0a29e4242e94d8d62977e654
                                                    • Instruction ID: 967defa998bf2e67a21228d284cfc0043e5fb3922296366f2b23842699bf826e
                                                    • Opcode Fuzzy Hash: 2b81fc769cc70645a5362f3f51d13801ec6eaaca0a29e4242e94d8d62977e654
                                                    • Instruction Fuzzy Hash: 1F217571C0025ADBDB24DFAAD440B9EFBF4EF48320F14812AD858A3240D778A841CFE1
                                                    Function 063AE280 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1372 63ae280-63ae2f4 GlobalMemoryStatusEx 1374 63ae2fd-63ae325 1372->1374 1375 63ae2f6-63ae2fc 1372->1375 1375->1374
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 063AE2E7
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2777516696.00000000063A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 063A0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_63a0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: b64466bc1f89e55f5d382e4d07b44f3f66a25e01669ab0f31115b4e039c198ed
                                                    • Instruction ID: 5861f149a70cba6e4a9fbf9f19e6f4670d1cea7e23d65c68d717e1d7575152ee
                                                    • Opcode Fuzzy Hash: b64466bc1f89e55f5d382e4d07b44f3f66a25e01669ab0f31115b4e039c198ed
                                                    • Instruction Fuzzy Hash: C811E2B1C0065A9BDB10DF9AD444B9EFBF4AF48320F15816AD818B7240D778A954CFA5
                                                    Function 013B7908 Relevance: .6, Instructions: 557COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2664 13b7908-13b790a 2665 13b790e-13b791f 2664->2665 2666 13b790c 2664->2666 2667 13b7921-13b7924 2665->2667 2666->2665 2668 13b7951-13b7954 2667->2668 2669 13b7926-13b794c 2667->2669 2670 13b7981-13b7984 2668->2670 2671 13b7956-13b797c 2668->2671 2669->2668 2672 13b79b1-13b79b4 2670->2672 2673 13b7986-13b79ac 2670->2673 2671->2670 2675 13b79b6-13b79b8 2672->2675 2676 13b79c5-13b79c8 2672->2676 2673->2672 2880 13b79ba call 13b9203 2675->2880 2881 13b79ba call 13b9160 2675->2881 2882 13b79ba call 13b9150 2675->2882 2678 13b79ca-13b79f0 2676->2678 2679 13b79f5-13b79f8 2676->2679 2678->2679 2684 13b79fa-13b7a20 2679->2684 2685 13b7a25-13b7a28 2679->2685 2682 13b79c0 2682->2676 2684->2685 2686 13b7a2a-13b7a50 2685->2686 2687 13b7a55-13b7a58 2685->2687 2686->2687 2692 13b7a5a-13b7a80 2687->2692 2693 13b7a85-13b7a88 2687->2693 2692->2693 2695 13b7a8a-13b7ab0 2693->2695 2696 13b7ab5-13b7ab8 2693->2696 2695->2696 2701 13b7aba-13b7ad0 2696->2701 2702 13b7ad5-13b7ad8 2696->2702 2701->2702 2704 13b7ada-13b7b00 2702->2704 2705 13b7b05-13b7b08 2702->2705 2704->2705 2711 13b7b0a-13b7b30 2705->2711 2712 13b7b35-13b7b38 2705->2712 2711->2712 2714 13b7b3a-13b7b60 2712->2714 2715 13b7b65-13b7b68 2712->2715 2714->2715 2721 13b7b6a-13b7b90 2715->2721 2722 13b7b95-13b7b98 2715->2722 2721->2722 2724 13b7b9a-13b7bc0 2722->2724 2725 13b7bc5-13b7bc8 2722->2725 2724->2725 2729 13b7bca-13b7bf0 2725->2729 2730 13b7bf5-13b7bf8 2725->2730 2729->2730 2733 13b7bfa-13b7c20 2730->2733 2734 13b7c25-13b7c28 2730->2734 2733->2734 2739 13b7c2a-13b7c50 2734->2739 2740 13b7c55-13b7c58 2734->2740 2739->2740 2743 13b7c5a-13b7c80 2740->2743 2744 13b7c85-13b7c88 2740->2744 2743->2744 2749 13b7c8a-13b7c9e 2744->2749 2750 13b7ca3-13b7ca6 2744->2750 2749->2750 2753 13b7ca8-13b7cce 2750->2753 2754 13b7cd3-13b7cd6 2750->2754 2753->2754 2759 13b7cd8-13b7cfe 2754->2759 2760 13b7d03-13b7d06 2754->2760 2759->2760 2763 13b7d08-13b7d2e 2760->2763 2764 13b7d33-13b7d36 2760->2764 2763->2764 2769 13b7d38-13b7d5e 2764->2769 2770 13b7d63-13b7d66 2764->2770 2769->2770 2773 13b7d68-13b7d8e 2770->2773 2774 13b7d93-13b7d96 2770->2774 2773->2774 2778 13b7d98-13b7dbe 2774->2778 2779 13b7dc3-13b7dc6 2774->2779 2778->2779 2782 13b7dc8-13b7dee 2779->2782 2783 13b7df3-13b7df6 2779->2783 2782->2783 2787 13b7df8-13b7e1e 2783->2787 2788 13b7e23-13b7e26 2783->2788 2787->2788 2792 13b7e28-13b7e4e 2788->2792 2793 13b7e53-13b7e56 2788->2793 2792->2793 2797 13b7e58-13b7e7e 2793->2797 2798 13b7e83-13b7e86 2793->2798 2797->2798 2802 13b7e88-13b7eae 2798->2802 2803 13b7eb3-13b7eb6 2798->2803 2802->2803 2807 13b7eb8-13b7ede 2803->2807 2808 13b7ee3-13b7ee6 2803->2808 2807->2808 2812 13b7ee8-13b7f0e 2808->2812 2813 13b7f13-13b7f16 2808->2813 2812->2813 2817 13b7f18-13b7f3e 2813->2817 2818 13b7f43-13b7f46 2813->2818 2817->2818 2822 13b7f48-13b7f6e 2818->2822 2823 13b7f73-13b7f76 2818->2823 2822->2823 2827 13b7f78-13b7f9e 2823->2827 2828 13b7fa3-13b7fa6 2823->2828 2827->2828 2832 13b7fa8-13b7fce 2828->2832 2833 13b7fd3-13b7fd6 2828->2833 2832->2833 2837 13b7fd8-13b7ffe 2833->2837 2838 13b8003-13b8006 2833->2838 2837->2838 2842 13b8008-13b802e 2838->2842 2843 13b8033-13b8036 2838->2843 2842->2843 2847 13b8038-13b805e 2843->2847 2848 13b8063-13b8066 2843->2848 2847->2848 2852 13b8068-13b808e 2848->2852 2853 13b8093-13b8096 2848->2853 2852->2853 2857 13b8098-13b80be 2853->2857 2858 13b80c3-13b80c6 2853->2858 2857->2858 2863 13b80c8 2858->2863 2864 13b80d3-13b80d5 2858->2864 2873 13b80ce 2863->2873 2867 13b80dc-13b80df 2864->2867 2868 13b80d7 2864->2868 2867->2667 2875 13b80e5-13b80eb 2867->2875 2868->2867 2873->2864 2880->2682 2881->2682 2882->2682
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 581c293fff4147817b8cfae9620064dd5bb308407b5bc02b53f663d19e54c86d
                                                    • Instruction ID: f319279007ceda48366dc225678add1928f2dc77cd68e0f90d555d2ac6ffae22
                                                    • Opcode Fuzzy Hash: 581c293fff4147817b8cfae9620064dd5bb308407b5bc02b53f663d19e54c86d
                                                    • Instruction Fuzzy Hash: 3A124D387102168BDB29AB3CE4946A8B2E7FBC9244B104A79D606CB355DF71F8468FC1
                                                    Function 013B41BC Relevance: .3, Instructions: 282COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 3870 13b41bc-13b41be 3871 13b41c2 3870->3871 3872 13b41c0-13b41c1 3870->3872 3873 13b41c3-13b41c4 3871->3873 3874 13b41c6 3871->3874 3872->3871 3873->3874 3875 13b41ca-13b422e 3874->3875 3876 13b41c8-13b41c9 3874->3876 3878 13b4278-13b427a 3875->3878 3879 13b4230-13b423b 3875->3879 3876->3875 3880 13b427c-13b4295 3878->3880 3879->3878 3881 13b423d-13b4249 3879->3881 3888 13b42e1-13b42e3 3880->3888 3889 13b4297-13b42a3 3880->3889 3882 13b424b-13b4255 3881->3882 3883 13b426c-13b4276 3881->3883 3885 13b4259-13b4268 3882->3885 3886 13b4257 3882->3886 3883->3880 3885->3885 3887 13b426a 3885->3887 3886->3885 3887->3883 3890 13b42e5-13b433d 3888->3890 3889->3888 3891 13b42a5-13b42b1 3889->3891 3900 13b433f-13b434a 3890->3900 3901 13b4387-13b4389 3890->3901 3892 13b42b3-13b42bd 3891->3892 3893 13b42d4-13b42df 3891->3893 3894 13b42bf 3892->3894 3895 13b42c1-13b42d0 3892->3895 3893->3890 3894->3895 3895->3895 3897 13b42d2 3895->3897 3897->3893 3900->3901 3902 13b434c-13b4358 3900->3902 3903 13b438b-13b43a3 3901->3903 3904 13b437b-13b4385 3902->3904 3905 13b435a-13b4364 3902->3905 3910 13b43ed-13b43ef 3903->3910 3911 13b43a5-13b43b0 3903->3911 3904->3903 3906 13b4368-13b4377 3905->3906 3907 13b4366 3905->3907 3906->3906 3909 13b4379 3906->3909 3907->3906 3909->3904 3912 13b43f1-13b4403 3910->3912 3911->3910 3913 13b43b2-13b43be 3911->3913 3920 13b440a-13b4442 3912->3920 3914 13b43e1-13b43eb 3913->3914 3915 13b43c0-13b43ca 3913->3915 3914->3912 3916 13b43ce-13b43dd 3915->3916 3917 13b43cc 3915->3917 3916->3916 3919 13b43df 3916->3919 3917->3916 3919->3914 3921 13b4448-13b4456 3920->3921 3922 13b4458-13b445e 3921->3922 3923 13b445f-13b44bf 3921->3923 3922->3923 3930 13b44cf-13b44d3 3923->3930 3931 13b44c1-13b44c5 3923->3931 3933 13b44e3-13b44e7 3930->3933 3934 13b44d5-13b44d9 3930->3934 3931->3930 3932 13b44c7 3931->3932 3932->3930 3935 13b44e9-13b44ed 3933->3935 3936 13b44f7-13b44fb 3933->3936 3934->3933 3937 13b44db 3934->3937 3935->3936 3938 13b44ef-13b44f2 call 13b0ab8 3935->3938 3939 13b450b-13b450f 3936->3939 3940 13b44fd-13b4501 3936->3940 3937->3933 3938->3936 3943 13b451f-13b4523 3939->3943 3944 13b4511-13b4515 3939->3944 3940->3939 3942 13b4503-13b4506 call 13b0ab8 3940->3942 3942->3939 3947 13b4533-13b4537 3943->3947 3948 13b4525-13b4529 3943->3948 3944->3943 3946 13b4517-13b451a call 13b0ab8 3944->3946 3946->3943 3949 13b4539-13b453d 3947->3949 3950 13b4547 3947->3950 3948->3947 3952 13b452b 3948->3952 3949->3950 3953 13b453f 3949->3953 3954 13b4548 3950->3954 3952->3947 3953->3950 3954->3954
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 425bb4c0fb2e34dbfe8ce2031578e33dc83bf7176511ba070ae0bc90ba180f9d
                                                    • Instruction ID: 3d340e8796a86a2980fd3558f4f7189e02868ad7426c84d1ec9ff43c5e1fd5e2
                                                    • Opcode Fuzzy Hash: 425bb4c0fb2e34dbfe8ce2031578e33dc83bf7176511ba070ae0bc90ba180f9d
                                                    • Instruction Fuzzy Hash: 13B17070E00209CFDF10CFA9D8857DDBBF1BF88318F148129D51AABA55EB349851CB95
                                                    Function 013B4A8C Relevance: .3, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b937715b67ffd566e7a18a5a49062ae744035071d6cc31f6ab48aa6d40e92909
                                                    • Instruction ID: c62ee67101c649d016696db91d779ee32ef1531bdcb3e68c8c2ea9cd050545d9
                                                    • Opcode Fuzzy Hash: b937715b67ffd566e7a18a5a49062ae744035071d6cc31f6ab48aa6d40e92909
                                                    • Instruction Fuzzy Hash: 36B17D70E00209DFDF10CFA8D8817EDBBF1AF48718F148129D656ABA56FB749845CB89
                                                    Function 013B3E74 Relevance: .2, Instructions: 239COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 784b757a55c6d58f459c3541fd601049b30fff13bc24aada534148828a8b453f
                                                    • Instruction ID: cc3a012c1bc8ebe7cd2f450f9deb17fa04138a2120737d87e60f25017d429064
                                                    • Opcode Fuzzy Hash: 784b757a55c6d58f459c3541fd601049b30fff13bc24aada534148828a8b453f
                                                    • Instruction Fuzzy Hash: C6A18B70E00219DFDF10CFA8D8857EEBBF1BF88318F148129E505AB654EB749846CB95
                                                    Function 013B4804 Relevance: .2, Instructions: 185COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 14133dc1f52fab04a29fae2a3be6ce590a04fe06a7ad09d0898bf4bd5cc36df7
                                                    • Instruction ID: 36bc5a787f12ed2238d6bdce2f9ba810065c2606f6af52b9ed49a1b9dcd3a761
                                                    • Opcode Fuzzy Hash: 14133dc1f52fab04a29fae2a3be6ce590a04fe06a7ad09d0898bf4bd5cc36df7
                                                    • Instruction Fuzzy Hash: DB719D70E00349CFEB10CFA9D8807DEBBF1BF88718F148129E516A7651EB359841CB99
                                                    Function 013B4810 Relevance: .2, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ed777a65d69bd42a4f8a4b945448c086d125eca37e4d44d9f3047eceb78978ed
                                                    • Instruction ID: 2c781ae1302cb8b110818285f47a75cc6cf92beb6cda6cb6bc3b681160b1f40a
                                                    • Opcode Fuzzy Hash: ed777a65d69bd42a4f8a4b945448c086d125eca37e4d44d9f3047eceb78978ed
                                                    • Instruction Fuzzy Hash: 39718E70E00349DFEB14CFA9D8807DEBBF2BF88318F148129E516A7655EB359841CB99
                                                    Function 013B6ED8 Relevance: .2, Instructions: 150COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f38d08f5a75db5993ed0458306c77affae25acac517be90ab3d7a2583f5cae5b
                                                    • Instruction ID: c22ecc02c86742608e651b8bf5250ebcdce8f70536e53c1ebcaf63dcffa73621
                                                    • Opcode Fuzzy Hash: f38d08f5a75db5993ed0458306c77affae25acac517be90ab3d7a2583f5cae5b
                                                    • Instruction Fuzzy Hash: BE51E574E002198FDB15DF68C4917EEBBB2FF85304F50856AE606EB681EB719C46CB90
                                                    Function 013B6CDF Relevance: .1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6246f565e7fd3d95bb714f26ecb7c02c6ccbb09758ab215e270fb1e1983e021f
                                                    • Instruction ID: bd0e3bc084ca53cf8f5e6d1a838768c4a01d4b56c8b117927d7e5e8a0b659ab7
                                                    • Opcode Fuzzy Hash: 6246f565e7fd3d95bb714f26ecb7c02c6ccbb09758ab215e270fb1e1983e021f
                                                    • Instruction Fuzzy Hash: BB5124B1D102188FDB18CFA9C885BDDBBB1BF48304F14812DD919BB752E774A844CB94
                                                    Function 013B6CE8 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 46038e8b3b92b05e6689e94e7056cb6135dd3dd11c59048e20f6f3b1e9f295af
                                                    • Instruction ID: 26c4b4970af734fd16df5efbccff204ad3f6aac40a49bfc42480c1211e8b42c6
                                                    • Opcode Fuzzy Hash: 46038e8b3b92b05e6689e94e7056cb6135dd3dd11c59048e20f6f3b1e9f295af
                                                    • Instruction Fuzzy Hash: 4F5124B0E102188FDB18CFA9C885BDDBBB1BF48304F14811DD919BB791E774A844CB95
                                                    Function 013B1128 Relevance: .1, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b0009f5bab4f6a2c418a75006e6714c48a5d7753af84a53c9680fea78b3a70a2
                                                    • Instruction ID: 192f6dada109735dca87265e54e065eb8e4bd0b94399944274deb228fa4cfcec
                                                    • Opcode Fuzzy Hash: b0009f5bab4f6a2c418a75006e6714c48a5d7753af84a53c9680fea78b3a70a2
                                                    • Instruction Fuzzy Hash: DF512034E42256CFCB0AFB7EF9A09953BB5B7A67047008B69D2084767EEB203905CB41
                                                    Function 013BF2ED Relevance: .1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b514b753db26982a189b5ec940028c856715e319bc1b9d9d063bf098cc8654f
                                                    • Instruction ID: 78ec50cb0e04d816c94af4c1826572ec8e2589b076ca35a7406e0a2b2baf030b
                                                    • Opcode Fuzzy Hash: 5b514b753db26982a189b5ec940028c856715e319bc1b9d9d063bf098cc8654f
                                                    • Instruction Fuzzy Hash: 8A41F1307002058FEB1AAB78D8546AE7BA6AFCA614F144568D406DB796EF35CD42C780
                                                    Function 013B1138 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 886d363e680d1c29d014f0fb483e7907b4ee43ba23e4b58d063d985f13cff512
                                                    • Instruction ID: 7c05297ebc8af4492422c85949ffd75275b994ac9c77553a22ddd43776ec4112
                                                    • Opcode Fuzzy Hash: 886d363e680d1c29d014f0fb483e7907b4ee43ba23e4b58d063d985f13cff512
                                                    • Instruction Fuzzy Hash: 14510134D52256CFCB0AFB6EF9A09853BE5B7A57047008B69D2084767DEB707905CB41
                                                    Function 013BF1B0 Relevance: .1, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 38573f879b39004b55284af4450d6f989de9b4979947493e1e71f0d3a9143194
                                                    • Instruction ID: 4c3e2867685970258bdf2eb69798e6abc54b5fff6aaa5fd8af35591802163654
                                                    • Opcode Fuzzy Hash: 38573f879b39004b55284af4450d6f989de9b4979947493e1e71f0d3a9143194
                                                    • Instruction Fuzzy Hash: 39319339E102059BDB15DFA9C8946DEB7B6FF89304F108519E906EB741EB70AC428B80
                                                    Function 013B26DC Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 54afcb5bc1d807bbd5e292fa53e3e33260016f835d5a05f86b42b187c0bfdcb2
                                                    • Instruction ID: 5d0df2aa6a613e4fdf25cc75edcebc5de9775e825732e331335b242f948e95a9
                                                    • Opcode Fuzzy Hash: 54afcb5bc1d807bbd5e292fa53e3e33260016f835d5a05f86b42b187c0bfdcb2
                                                    • Instruction Fuzzy Hash: 80411FB4D0034CDFEB10CFA9C884ADEBBF4BF48314F14802AE509AB250EB75A945CB94
                                                    Function 013B6F78 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e082fdf3e700c8e59c8f14f72feea2fc2fc578d9c617aaff2774bcc1b20197db
                                                    • Instruction ID: 24cfad7b87df892f2f18c7863a0e7faaf5a2a08a1439de38f56938ef7985f5d8
                                                    • Opcode Fuzzy Hash: e082fdf3e700c8e59c8f14f72feea2fc2fc578d9c617aaff2774bcc1b20197db
                                                    • Instruction Fuzzy Hash: 7D319074E00219CBEB15CF69C4807DEB7B2FF89304F108526E606EB681EB71A945CB50
                                                    Function 013BF1C0 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1295984c343d8a345838b9d35cc2da832f04129f648f015bd2008940e948099f
                                                    • Instruction ID: d914684f20b4603fa36c104ac64ff878e16b436fbad3c512d1877d1946f47e1b
                                                    • Opcode Fuzzy Hash: 1295984c343d8a345838b9d35cc2da832f04129f648f015bd2008940e948099f
                                                    • Instruction Fuzzy Hash: 3B318238E106059BDB15DFA9D89469EF7F6BF89304F108519E906EB750EB71EC42CB80
                                                    Function 013B26E8 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2de6a47bd973c2d521b1d87c1a02cec88dffb07d6b3d75e5f7f9c46d5ed0d2c5
                                                    • Instruction ID: ad6194defe782ebd62b137914e6b38500d82c0a107067281927c92109c73db14
                                                    • Opcode Fuzzy Hash: 2de6a47bd973c2d521b1d87c1a02cec88dffb07d6b3d75e5f7f9c46d5ed0d2c5
                                                    • Instruction Fuzzy Hash: C241EFB4D0034CDFEB14CFA9C484ADEBBF5BF48314F148429E919AB250EB75A945CB94
                                                    Function 013B50A8 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1541d2f7e9653a2f8990420cf917d273a2c77007dad20f57e51ccc24543f3dd0
                                                    • Instruction ID: d71b95ec55092b350fb853d0883237d64325fd5462e98d29b19222995f089fe9
                                                    • Opcode Fuzzy Hash: 1541d2f7e9653a2f8990420cf917d273a2c77007dad20f57e51ccc24543f3dd0
                                                    • Instruction Fuzzy Hash: 6F316E30B00216CBDF25EB78C5A06EE77F2AB89648F100568C605AB7A4EB36DC41CB91
                                                    Function 013B5099 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2005961a77e7e3ffa6acc7972359d8676d644820daddcb271c13f05c0595b38c
                                                    • Instruction ID: 81a900d082ee6e353400852d49abe0b54e49ec85ac80e07b24358341ffeefa84
                                                    • Opcode Fuzzy Hash: 2005961a77e7e3ffa6acc7972359d8676d644820daddcb271c13f05c0595b38c
                                                    • Instruction Fuzzy Hash: 5B314D30B04215CBDF25EB78C5A06EE77F2AF49248F100568CA05AB7A5EB36DC41CB91
                                                    Function 013B9250 Relevance: .1, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eb50204032a036032037cafc099cb0e240dc154ef16117a84b514007f398ffd4
                                                    • Instruction ID: 1cc8331da61161855fc6e18df365879d82b4fd86cba529115493264147fa0f97
                                                    • Opcode Fuzzy Hash: eb50204032a036032037cafc099cb0e240dc154ef16117a84b514007f398ffd4
                                                    • Instruction Fuzzy Hash: C3319375E0020A9BDB05DFA8C4907DEF7B2BF89308F148619E605AB741E771A842CB90
                                                    Function 013B9260 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c8ff6f8dda8dce7eb47e4d414086bc5677590313f4c3f529d96fc8baabb615ec
                                                    • Instruction ID: 6a25aa6be314ac3b68f446e47afa12ed05156fa307a68b53be1256da93b6ae0d
                                                    • Opcode Fuzzy Hash: c8ff6f8dda8dce7eb47e4d414086bc5677590313f4c3f529d96fc8baabb615ec
                                                    • Instruction Fuzzy Hash: 1F216574E1020A9BDB05DFA9D4907DEF7B2FF89308F148615E605EB751EB71A842CB90
                                                    Function 013B16A0 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9a5f7deb81e4c1f4e2555c5069ba5feb6c3c0c82b0a4249b8a1661e6b5d9613f
                                                    • Instruction ID: 94c11d897e919ed734d332edadba098cd90e8bc7de0c5a01caf355fbf75c2f1a
                                                    • Opcode Fuzzy Hash: 9a5f7deb81e4c1f4e2555c5069ba5feb6c3c0c82b0a4249b8a1661e6b5d9613f
                                                    • Instruction Fuzzy Hash: 8C21F438A012118FEF23AB3DF8A47DA3361FB85B18F145B21D50AC7A56FB25C8458B91
                                                    Function 013B9150 Relevance: .1, Instructions: 77COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 45759294a85e7565993c7af684e083c77059bacb4a6bb88357898627abaa9e50
                                                    • Instruction ID: 2877fe5d81c150dc3e35ab362e166b1241ed1059d04eff5dd0153229d744f439
                                                    • Opcode Fuzzy Hash: 45759294a85e7565993c7af684e083c77059bacb4a6bb88357898627abaa9e50
                                                    • Instruction Fuzzy Hash: AA21B774E0021ADBDB19CF68D4846DEF7B2AF85308F10852AEA06FB741EB71D942CB50
                                                    Function 013B1380 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9b22d07aa4afd27f12397451b932149807ca4dd3a703dc2ce04c8c1f01461ab8
                                                    • Instruction ID: 5c0f15acee6fc40b29de215aa5361517afc070399723c9d5ebfb1ad819ad06e7
                                                    • Opcode Fuzzy Hash: 9b22d07aa4afd27f12397451b932149807ca4dd3a703dc2ce04c8c1f01461ab8
                                                    • Instruction Fuzzy Hash: 6721A174E412108BEB36576DF4A83A93761E742319F51083AD60BDBE86FA298884C792
                                                    Function 013B4F88 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8518e341c8b6bfc9d30604dbf091d23a20cfc34d66dbede94478cdbeec318a1d
                                                    • Instruction ID: c9f1a4609491543c55dfcbf7cabb88bfe76d4436c3253df05861975996403186
                                                    • Opcode Fuzzy Hash: 8518e341c8b6bfc9d30604dbf091d23a20cfc34d66dbede94478cdbeec318a1d
                                                    • Instruction Fuzzy Hash: 0C214834B00205CFDB64DB78C5A86AD77F1AF8D304F100468E606EB3A5EB319D05CB90
                                                    Function 0136D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767404361.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_136d000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f5f9009366f558f83721f499829295877dc279555cdec58239f372e955a5f10
                                                    • Instruction ID: 17f2b688552d57909afd0dc51163c94d4fe88976d4328486433fa7561761ffb4
                                                    • Opcode Fuzzy Hash: 2f5f9009366f558f83721f499829295877dc279555cdec58239f372e955a5f10
                                                    • Instruction Fuzzy Hash: 76212571604344DFDB15DF64D880B26BB69FB84318F24C56DE88A0B64AC337D407CA62
                                                    Function 013B9160 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 463613f32a87b0d262f7d1fb61213c927c4d2b58f5b6cc9b64bf15fb96d04b83
                                                    • Instruction ID: f37bc34e5afa3bce881662a2ee4f1ccda1ed19429501996ae92168df8203a796
                                                    • Opcode Fuzzy Hash: 463613f32a87b0d262f7d1fb61213c927c4d2b58f5b6cc9b64bf15fb96d04b83
                                                    • Instruction Fuzzy Hash: 6021AA74E0021ADBCB19CF68D4946DEF7B2AF85308F10851AEA15FB741EB71D945CB50
                                                    Function 013B1888 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0859c3d843e78c47060f9f4d2a9f6586095917834008bfa8e0c7ba6562f9dcc
                                                    • Instruction ID: 680bb79f94b517ec8d56f6f724343fd6ab3247834b3f0e58b6e6929b273bba6f
                                                    • Opcode Fuzzy Hash: d0859c3d843e78c47060f9f4d2a9f6586095917834008bfa8e0c7ba6562f9dcc
                                                    • Instruction Fuzzy Hash: 31215C30B04255CFDB64EB68D5A47EE77F6AB89248F100468D606EB764EB329C40CBA1
                                                    Function 013B16B0 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ca340c0900b01968b1cd3ad91b43858280f9af10c87eeb5addb5bca193db9ea
                                                    • Instruction ID: 9dfbd6eda10d69acc2a533eded9b1d04183493216b156e0846582149d0e78cf8
                                                    • Opcode Fuzzy Hash: 9ca340c0900b01968b1cd3ad91b43858280f9af10c87eeb5addb5bca193db9ea
                                                    • Instruction Fuzzy Hash: 0D218438A012158FDF22E76DF8947DA3355FB85A18F104B20D50AC7656FB35D8458B91
                                                    Function 013B1879 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f35c52e9d420ddd019f779b4d7c04877d011680c41d31a883cf9fd114641fae0
                                                    • Instruction ID: 97b832a84b0a7ab9c92a030243f26ba20c7a2fd854a2750da6596ce0e5d6092d
                                                    • Opcode Fuzzy Hash: f35c52e9d420ddd019f779b4d7c04877d011680c41d31a883cf9fd114641fae0
                                                    • Instruction Fuzzy Hash: 9C215C30B04255CFEB64EB78D5A43EE77F1AB49249F200468C206EB7A5EB368D00CB91
                                                    Function 013B4F98 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53d3495971f5257cddd29404df07f924be26e3e6f5a294184e96cc164be36161
                                                    • Instruction ID: 417ee70cf8fbc63b3d8c69796ff726c4345d14839f057b13cad309f3ddf6cc8b
                                                    • Opcode Fuzzy Hash: 53d3495971f5257cddd29404df07f924be26e3e6f5a294184e96cc164be36161
                                                    • Instruction Fuzzy Hash: 08213C30B00219CFDB68DF79D5A8AAE77F5AF89714F100468E506EB3A5EB719D00CB91
                                                    Function 013B17C3 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9093d9995482232f8cca4be153d99ca803b54de561f0aa5fc0404eaec72ba66d
                                                    • Instruction ID: 27218ee22ca47d761f91ae94eea11b7a3f904faa67dc3d4700515665c7ac8f67
                                                    • Opcode Fuzzy Hash: 9093d9995482232f8cca4be153d99ca803b54de561f0aa5fc0404eaec72ba66d
                                                    • Instruction Fuzzy Hash: 76112676F402168FCF10ABBAA8A52AE3FE9FB44610F100579D706D3741EA31C802C784
                                                    Function 013B148B Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a4a898636e8a1b5f6136c704e96a782f6f53ef41cd639b38bcb6457a19d68363
                                                    • Instruction ID: 9651e93335ec118a4e15a81ff865d46e2c72df2f083ea1a1ad2d0de85acd55ed
                                                    • Opcode Fuzzy Hash: a4a898636e8a1b5f6136c704e96a782f6f53ef41cd639b38bcb6457a19d68363
                                                    • Instruction Fuzzy Hash: 7F11B632B002558FCB15AFBCA4E05FE7FB5EF88258B1440BAD605E7A02F635C9428BD1
                                                    Function 013B6B9F Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ceb9093d4d733113fb3ddb85b3d20911ffef1de9d62c01571179954f5b1a639b
                                                    • Instruction ID: 83ea6280826649e790960311c6e04f1f769cd007c70eebdab2889fdcdafc1a65
                                                    • Opcode Fuzzy Hash: ceb9093d4d733113fb3ddb85b3d20911ffef1de9d62c01571179954f5b1a639b
                                                    • Instruction Fuzzy Hash: EA1104717082858FC716AB7D94612EE7FB2EFC7204B1480EBC646CB653EA395C06C3A1
                                                    Function 013B80F1 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a0d249238c90f7ab2c969cd8300051da477756fd2342004226c423dc99662fa7
                                                    • Instruction ID: 388eeb9dce9a916d44da695d6a111608d3f7e8380a91a688657c4d0145fe4adc
                                                    • Opcode Fuzzy Hash: a0d249238c90f7ab2c969cd8300051da477756fd2342004226c423dc99662fa7
                                                    • Instruction Fuzzy Hash: 2711B138A00219DFDF01EBBCF8906DD77B5FB84704F0046B9C609D7255EB31AA058B91
                                                    Function 013B0838 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0866be860e138160648774f5e77be9bc5f9290fe8a8fdb405868ddf48235954d
                                                    • Instruction ID: 2f3a9cdce4babe1a5b1764db0070aae5655e60c0a77d00e2dc76ca853a99b5f2
                                                    • Opcode Fuzzy Hash: 0866be860e138160648774f5e77be9bc5f9290fe8a8fdb405868ddf48235954d
                                                    • Instruction Fuzzy Hash: 08119B31F052144BEF2A5B7DD4903EB3B71FB81618F148A79E247DB682FA64CA458BC1
                                                    Function 013B0848 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: cd9fdccae644e7f80f17a1d5228bcebdd03c01a6e9a49aca2c9aeb7ac373398c
                                                    • Instruction ID: cacdd704b7105308bd804334a767b31aa209f87a1897f611b3565e7c91464adc
                                                    • Opcode Fuzzy Hash: cd9fdccae644e7f80f17a1d5228bcebdd03c01a6e9a49aca2c9aeb7ac373398c
                                                    • Instruction Fuzzy Hash: EB119B30B012088BEF2A5B7DD4947AB3675FB81618F104A39E207CF652FA61CE454BC1
                                                    Function 0136D017 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767404361.000000000136D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0136D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_136d000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                    • Instruction ID: 7326b28c62850360c15e59904256b6606d5da6f18bb7d1bfa3b718fdeb85103e
                                                    • Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                    • Instruction Fuzzy Hash: 00118E75604280DFDB16CF54D5C4B15FF71FB84318F24C6A9D8494B65AC33AD44ACB62
                                                    Function 013B1498 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e5c10cf4a9bc8938d55c66f3490bac5d1cc9f795ddb01be30229a7c724ebce9b
                                                    • Instruction ID: 355efc21f9d16e5d5877006c87b96e1d598f44a50b5e38940967def8cbf62d7a
                                                    • Opcode Fuzzy Hash: e5c10cf4a9bc8938d55c66f3490bac5d1cc9f795ddb01be30229a7c724ebce9b
                                                    • Instruction Fuzzy Hash: 52012D31B002159FCB25EFBD94A02EF7BF5EB88218F14047ADA06E7701F635C9418B95
                                                    Function 013B1524 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00de9e8582e7a221150e993b8d2c65b6a91ca164aea8726aea03861664552673
                                                    • Instruction ID: cae9b6ea81aea43ee21e4dcb7260f6222078034f770d7a35b5ba8ab811802fa0
                                                    • Opcode Fuzzy Hash: 00de9e8582e7a221150e993b8d2c65b6a91ca164aea8726aea03861664552673
                                                    • Instruction Fuzzy Hash: E6F02B33B04114CFDB228BF8A4E01EC7F75FA9411971C0097D606DBA05F235D402C711
                                                    Function 013B7090 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f42ef14f9e9433f51b200f2d881c0200de6c82ee3694b41a19042c4b5ba5cbf
                                                    • Instruction ID: 871823be6dde1e612ccf4d8451a51083a0771249af346b6999cc9c76213da228
                                                    • Opcode Fuzzy Hash: 9f42ef14f9e9433f51b200f2d881c0200de6c82ee3694b41a19042c4b5ba5cbf
                                                    • Instruction Fuzzy Hash: 66F03C39B40104CFC714DB64D5A8B6C77B2EF88715F654069E6068B3A0DB31AD42CB40
                                                    Function 013B8100 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000009.00000002.2767830092.00000000013B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013B0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_9_2_13b0000_kzy8qg5lbR.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: db8a1d6382ed0109b83b6faf073cb4a249535ce785c2cf5ed4ce7f06ecfccc94
                                                    • Instruction ID: 7948de55c98d14483d3a028a731bf32f0b3f35d1bcafec71d5c8102fd28da7e1
                                                    • Opcode Fuzzy Hash: db8a1d6382ed0109b83b6faf073cb4a249535ce785c2cf5ed4ce7f06ecfccc94
                                                    • Instruction Fuzzy Hash: C1F03C3490121DEFDF45FBB8F9506EDB7B1BB84600F1047B9C40997254EB322E048B91

                                                    Execution Graph

                                                    Execution Coverage:12.1%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:197
                                                    Total number of Limit Nodes:8
                                                    execution_graph 34923 156d6e1 34924 156d6a4 DuplicateHandle 34923->34924 34926 156d6ea 34923->34926 34925 156d6b6 34924->34925 34906 156d3d8 34907 156d41e GetCurrentProcess 34906->34907 34909 156d470 GetCurrentThread 34907->34909 34910 156d469 34907->34910 34911 156d4a6 34909->34911 34912 156d4ad GetCurrentProcess 34909->34912 34910->34909 34911->34912 34915 156d4e3 34912->34915 34913 156d50b GetCurrentThreadId 34914 156d53c 34913->34914 34915->34913 34927 1564668 34928 156467a 34927->34928 34929 1564686 34928->34929 34933 1564778 34928->34933 34938 1564204 34929->34938 34931 15646a5 34934 156479d 34933->34934 34942 1564878 34934->34942 34946 1564888 34934->34946 34939 156420f 34938->34939 34954 1565c6c 34939->34954 34941 1566ff0 34941->34931 34944 1564882 34942->34944 34943 156498c 34944->34943 34950 15644e4 34944->34950 34947 15648af 34946->34947 34948 156498c 34947->34948 34949 15644e4 CreateActCtxA 34947->34949 34949->34948 34951 1565918 CreateActCtxA 34950->34951 34953 15659db 34951->34953 34953->34953 34955 1565c77 34954->34955 34958 1565c8c 34955->34958 34957 1567095 34957->34941 34959 1565c97 34958->34959 34962 1565cbc 34959->34962 34961 156717a 34961->34957 34963 1565cc7 34962->34963 34966 1565cec 34963->34966 34965 156726d 34965->34961 34967 1565cf7 34966->34967 34969 156856b 34967->34969 34972 156ac1b 34967->34972 34968 15685a9 34968->34965 34969->34968 34976 156cd00 34969->34976 34981 156ac50 34972->34981 34984 156ac40 34972->34984 34973 156ac2e 34973->34969 34978 156cd31 34976->34978 34977 156cd55 34977->34968 34978->34977 34993 156cec0 34978->34993 34997 156ceb1 34978->34997 34988 156ad48 34981->34988 34982 156ac5f 34982->34973 34985 156ac50 34984->34985 34987 156ad48 GetModuleHandleW 34985->34987 34986 156ac5f 34986->34973 34987->34986 34989 156ad59 34988->34989 34990 156ad7c 34988->34990 34989->34990 34991 156af80 GetModuleHandleW 34989->34991 34990->34982 34992 156afad 34991->34992 34992->34982 34994 156cecd 34993->34994 34995 156cf07 34994->34995 35001 156b720 34994->35001 34995->34977 34998 156cec0 34997->34998 34999 156cf07 34998->34999 35000 156b720 GetModuleHandleW 34998->35000 34999->34977 35000->34999 35002 156b72b 35001->35002 35004 156dc18 35002->35004 35005 156d024 35002->35005 35004->35004 35006 156d02f 35005->35006 35007 1565cec GetModuleHandleW 35006->35007 35008 156dc87 35007->35008 35008->35004 34916 71f9470 34917 71f95fb 34916->34917 34918 71f9496 34916->34918 34918->34917 34920 71f52e0 34918->34920 34921 71f96f0 PostMessageW 34920->34921 34922 71f975c 34921->34922 34922->34918 35009 71f7060 35010 71f6e62 35009->35010 35011 71f706a 35009->35011 35015 71f8270 35011->35015 35030 71f8280 35011->35030 35012 71f70d3 35016 71f8280 35015->35016 35045 71f8924 35016->35045 35050 71f8a64 35016->35050 35058 71f8e65 35016->35058 35062 71f87e6 35016->35062 35067 71f88f7 35016->35067 35072 71f89b9 35016->35072 35077 71f884f 35016->35077 35082 71f8c80 35016->35082 35087 71f8c01 35016->35087 35092 71f87a3 35016->35092 35100 71f8694 35016->35100 35104 71f8d14 35016->35104 35017 71f82be 35017->35012 35031 71f829a 35030->35031 35033 71f884f 2 API calls 35031->35033 35034 71f89b9 2 API calls 35031->35034 35035 71f88f7 2 API calls 35031->35035 35036 71f87e6 2 API calls 35031->35036 35037 71f8e65 2 API calls 35031->35037 35038 71f8a64 4 API calls 35031->35038 35039 71f8924 2 API calls 35031->35039 35040 71f8d14 2 API calls 35031->35040 35041 71f8694 2 API calls 35031->35041 35042 71f87a3 4 API calls 35031->35042 35043 71f8c01 2 API calls 35031->35043 35044 71f8c80 2 API calls 35031->35044 35032 71f82be 35032->35012 35033->35032 35034->35032 35035->35032 35036->35032 35037->35032 35038->35032 35039->35032 35040->35032 35041->35032 35042->35032 35043->35032 35044->35032 35046 71f8939 35045->35046 35108 71f60b9 35046->35108 35112 71f60c0 35046->35112 35047 71f86ef 35047->35017 35051 71f8a71 35050->35051 35052 71f87e5 35050->35052 35116 71f65a8 35051->35116 35120 71f65a0 35051->35120 35053 71f86ef 35052->35053 35054 71f60b9 ResumeThread 35052->35054 35055 71f60c0 ResumeThread 35052->35055 35053->35017 35054->35053 35055->35053 35060 71f65a8 Wow64SetThreadContext 35058->35060 35061 71f65a0 Wow64SetThreadContext 35058->35061 35059 71f8bc0 35059->35058 35060->35059 35061->35059 35063 71f8800 35062->35063 35065 71f60b9 ResumeThread 35063->35065 35066 71f60c0 ResumeThread 35063->35066 35064 71f86ef 35064->35017 35065->35064 35066->35064 35068 71f88f8 35067->35068 35070 71f60b9 ResumeThread 35068->35070 35071 71f60c0 ResumeThread 35068->35071 35069 71f86ef 35069->35017 35070->35069 35071->35069 35073 71f89d4 35072->35073 35075 71f60b9 ResumeThread 35073->35075 35076 71f60c0 ResumeThread 35073->35076 35074 71f86ef 35074->35017 35075->35074 35076->35074 35079 71f886e 35077->35079 35078 71f8d8d 35124 71f6738 35079->35124 35128 71f6740 35079->35128 35083 71f8c90 35082->35083 35085 71f6738 WriteProcessMemory 35083->35085 35086 71f6740 WriteProcessMemory 35083->35086 35084 71f86ef 35084->35017 35085->35084 35086->35084 35088 71f8c0a 35087->35088 35090 71f6738 WriteProcessMemory 35088->35090 35091 71f6740 WriteProcessMemory 35088->35091 35089 71f8f3e 35090->35089 35091->35089 35093 71f87a9 35092->35093 35132 71f9310 35093->35132 35137 71f9320 35093->35137 35094 71f87c3 35096 71f6738 WriteProcessMemory 35094->35096 35097 71f6740 WriteProcessMemory 35094->35097 35095 71f8d8d 35096->35095 35097->35095 35150 71f69bc 35100->35150 35154 71f69c8 35100->35154 35158 71f6828 35104->35158 35162 71f6830 35104->35162 35105 71f8d36 35109 71f60c0 ResumeThread 35108->35109 35111 71f6131 35109->35111 35111->35047 35113 71f6100 ResumeThread 35112->35113 35115 71f6131 35113->35115 35115->35047 35117 71f65ed Wow64SetThreadContext 35116->35117 35119 71f6635 35117->35119 35119->35052 35121 71f65a8 Wow64SetThreadContext 35120->35121 35123 71f6635 35121->35123 35123->35052 35125 71f6740 WriteProcessMemory 35124->35125 35127 71f67df 35125->35127 35127->35078 35129 71f6788 WriteProcessMemory 35128->35129 35131 71f67df 35129->35131 35131->35078 35133 71f9320 35132->35133 35142 71f6680 35133->35142 35146 71f6679 35133->35146 35134 71f9354 35134->35094 35138 71f9335 35137->35138 35140 71f6679 VirtualAllocEx 35138->35140 35141 71f6680 VirtualAllocEx 35138->35141 35139 71f9354 35139->35094 35140->35139 35141->35139 35143 71f66c0 VirtualAllocEx 35142->35143 35145 71f66fd 35143->35145 35145->35134 35147 71f6680 VirtualAllocEx 35146->35147 35149 71f66fd 35147->35149 35149->35134 35151 71f69c8 CreateProcessA 35150->35151 35153 71f6c13 35151->35153 35155 71f6a51 CreateProcessA 35154->35155 35157 71f6c13 35155->35157 35159 71f6830 ReadProcessMemory 35158->35159 35161 71f68bf 35159->35161 35161->35105 35163 71f687b ReadProcessMemory 35162->35163 35165 71f68bf 35163->35165 35165->35105

                                                    Executed Functions

                                                    Function 070F6108 Relevance: .9, Instructions: 897COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29966e8ad4889b6212b1c924378a77978cb141457870bd6dd43b3f661265b333
                                                    • Instruction ID: 11c5a663f5b4726ee5e80c05520a4196497525dcba698c14616591a71f2ab9c7
                                                    • Opcode Fuzzy Hash: 29966e8ad4889b6212b1c924378a77978cb141457870bd6dd43b3f661265b333
                                                    • Instruction Fuzzy Hash: 02827DB1A0020ADFCB15CF68C984AAEBBF2FF89300F158669E5159B761D772E841CB51
                                                    Function 070F2E90 Relevance: .6, Instructions: 570COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0c7f1311688bba2f32763f4461074baca6f27b8a9ec892b95ee846947068d2c6
                                                    • Instruction ID: 623a9dabd5eaca05b0d9466ee829a25095ad5dcdf7cbced91fd21fefe6aa8af0
                                                    • Opcode Fuzzy Hash: 0c7f1311688bba2f32763f4461074baca6f27b8a9ec892b95ee846947068d2c6
                                                    • Instruction Fuzzy Hash: DA227CB0A002199FDB58DF69D854BAEBBF6BF88310F148129E946EB750DB34DD41CB90
                                                    Function 070F35F8 Relevance: .3, Instructions: 327COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74017dc12dab7bf07573124c1f67d69b7f1edd9c2fb1a929aeca51d5c5ee4bbb
                                                    • Instruction ID: 3c4cb986f25016b2c4f857db7ea2a0933d89ed1ef9510ec250a22727283d4e43
                                                    • Opcode Fuzzy Hash: 74017dc12dab7bf07573124c1f67d69b7f1edd9c2fb1a929aeca51d5c5ee4bbb
                                                    • Instruction Fuzzy Hash: 68D13CB0A0420ADFCB54CFA9C884AADFBF2BF88760F158265E515AB760D731ED41CB50
                                                    Function 0156D3C9 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0156D456
                                                    • GetCurrentThread.KERNEL32 ref: 0156D493
                                                    • GetCurrentProcess.KERNEL32 ref: 0156D4D0
                                                    • GetCurrentThreadId.KERNEL32 ref: 0156D529
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578653201.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_1560000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: c63bf6b7ff7d25d0685652a78d8e42a6b93463b8bd29e91d0b5535184192cc88
                                                    • Instruction ID: 56cb4b5e860c380341325cbe794d91f1897329c966792f818ba7b114285749e3
                                                    • Opcode Fuzzy Hash: c63bf6b7ff7d25d0685652a78d8e42a6b93463b8bd29e91d0b5535184192cc88
                                                    • Instruction Fuzzy Hash: AB5179B0A00709CFEB14DFA9D548BEEBBF5BF88300F248459D449AB390D7756944CB66
                                                    Function 0156D3D8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0156D456
                                                    • GetCurrentThread.KERNEL32 ref: 0156D493
                                                    • GetCurrentProcess.KERNEL32 ref: 0156D4D0
                                                    • GetCurrentThreadId.KERNEL32 ref: 0156D529
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578653201.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_1560000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 34ddb1005348cdb0a60aa0ae4ee7b43d7aeca2637bae2e2260982f9bbc4be3bc
                                                    • Instruction ID: 2fb903fd086b502e60a0bde7a73817da91f27b3b366190562e654db579ef5fb1
                                                    • Opcode Fuzzy Hash: 34ddb1005348cdb0a60aa0ae4ee7b43d7aeca2637bae2e2260982f9bbc4be3bc
                                                    • Instruction Fuzzy Hash: 91519AB0A00709CFEB14DFAAD548BEEBBF5BF48300F248459D409AB390D7716944CB66
                                                    Function 071F69BC Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 45 71f69bc-71f6a5d 48 71f6a5f-71f6a69 45->48 49 71f6a96-71f6ab6 45->49 48->49 50 71f6a6b-71f6a6d 48->50 54 71f6aef-71f6b1e 49->54 55 71f6ab8-71f6ac2 49->55 52 71f6a6f-71f6a79 50->52 53 71f6a90-71f6a93 50->53 56 71f6a7d-71f6a8c 52->56 57 71f6a7b 52->57 53->49 65 71f6b57-71f6c11 CreateProcessA 54->65 66 71f6b20-71f6b2a 54->66 55->54 59 71f6ac4-71f6ac6 55->59 56->56 58 71f6a8e 56->58 57->56 58->53 60 71f6ae9-71f6aec 59->60 61 71f6ac8-71f6ad2 59->61 60->54 63 71f6ad6-71f6ae5 61->63 64 71f6ad4 61->64 63->63 68 71f6ae7 63->68 64->63 77 71f6c1a-71f6ca0 65->77 78 71f6c13-71f6c19 65->78 66->65 67 71f6b2c-71f6b2e 66->67 69 71f6b51-71f6b54 67->69 70 71f6b30-71f6b3a 67->70 68->60 69->65 72 71f6b3e-71f6b4d 70->72 73 71f6b3c 70->73 72->72 74 71f6b4f 72->74 73->72 74->69 88 71f6ca2-71f6ca6 77->88 89 71f6cb0-71f6cb4 77->89 78->77 88->89 90 71f6ca8 88->90 91 71f6cb6-71f6cba 89->91 92 71f6cc4-71f6cc8 89->92 90->89 91->92 95 71f6cbc 91->95 93 71f6cca-71f6cce 92->93 94 71f6cd8-71f6cdc 92->94 93->94 96 71f6cd0 93->96 97 71f6cee-71f6cf5 94->97 98 71f6cde-71f6ce4 94->98 95->92 96->94 99 71f6d0c 97->99 100 71f6cf7-71f6d06 97->100 98->97 102 71f6d0d 99->102 100->99 102->102
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071F6BFE
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: 2a243fa8fef0125f8ec68b4733a0cd5644ae26124757d09fbcb7c57071300448
                                                    • Instruction ID: 4d152335892b4ef7f2a861b363972246d1b5041d7197e8fe4c90e973c01046ff
                                                    • Opcode Fuzzy Hash: 2a243fa8fef0125f8ec68b4733a0cd5644ae26124757d09fbcb7c57071300448
                                                    • Instruction Fuzzy Hash: 67A159B1D0021ACFEB21CF68C8417EEBBB2FF48310F14856AD959A7280DB7599858F91
                                                    Function 071F69C8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 103 71f69c8-71f6a5d 105 71f6a5f-71f6a69 103->105 106 71f6a96-71f6ab6 103->106 105->106 107 71f6a6b-71f6a6d 105->107 111 71f6aef-71f6b1e 106->111 112 71f6ab8-71f6ac2 106->112 109 71f6a6f-71f6a79 107->109 110 71f6a90-71f6a93 107->110 113 71f6a7d-71f6a8c 109->113 114 71f6a7b 109->114 110->106 122 71f6b57-71f6c11 CreateProcessA 111->122 123 71f6b20-71f6b2a 111->123 112->111 116 71f6ac4-71f6ac6 112->116 113->113 115 71f6a8e 113->115 114->113 115->110 117 71f6ae9-71f6aec 116->117 118 71f6ac8-71f6ad2 116->118 117->111 120 71f6ad6-71f6ae5 118->120 121 71f6ad4 118->121 120->120 125 71f6ae7 120->125 121->120 134 71f6c1a-71f6ca0 122->134 135 71f6c13-71f6c19 122->135 123->122 124 71f6b2c-71f6b2e 123->124 126 71f6b51-71f6b54 124->126 127 71f6b30-71f6b3a 124->127 125->117 126->122 129 71f6b3e-71f6b4d 127->129 130 71f6b3c 127->130 129->129 131 71f6b4f 129->131 130->129 131->126 145 71f6ca2-71f6ca6 134->145 146 71f6cb0-71f6cb4 134->146 135->134 145->146 147 71f6ca8 145->147 148 71f6cb6-71f6cba 146->148 149 71f6cc4-71f6cc8 146->149 147->146 148->149 152 71f6cbc 148->152 150 71f6cca-71f6cce 149->150 151 71f6cd8-71f6cdc 149->151 150->151 153 71f6cd0 150->153 154 71f6cee-71f6cf5 151->154 155 71f6cde-71f6ce4 151->155 152->149 153->151 156 71f6d0c 154->156 157 71f6cf7-71f6d06 154->157 155->154 159 71f6d0d 156->159 157->156 159->159
                                                    APIs
                                                    • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071F6BFE
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: CreateProcess
                                                    • String ID:
                                                    • API String ID: 963392458-0
                                                    • Opcode ID: a147703fb014b9c9d51c0c48d18d8b4d56bf523951e9d75b01c82e2a82a26ef5
                                                    • Instruction ID: dae313024e1789ac7504e6ef9fe1b15baae6ed9593c745f6e1c9ee65b366d945
                                                    • Opcode Fuzzy Hash: a147703fb014b9c9d51c0c48d18d8b4d56bf523951e9d75b01c82e2a82a26ef5
                                                    • Instruction Fuzzy Hash: 539159B1D0031ACFEB21DF68C8417AEBBB2FF48310F14816AD959A7280DB759985CF91
                                                    Function 0156AD48 Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 160 156ad48-156ad57 161 156ad83-156ad87 160->161 162 156ad59-156ad66 call 156a0a0 160->162 163 156ad9b-156addc 161->163 164 156ad89-156ad93 161->164 169 156ad7c 162->169 170 156ad68 162->170 171 156adde-156ade6 163->171 172 156ade9-156adf7 163->172 164->163 169->161 219 156ad6e call 156afd0 170->219 220 156ad6e call 156afe0 170->220 171->172 174 156ae1b-156ae1d 172->174 175 156adf9-156adfe 172->175 173 156ad74-156ad76 173->169 176 156aeb8-156af34 173->176 177 156ae20-156ae27 174->177 178 156ae00-156ae07 call 156a0ac 175->178 179 156ae09 175->179 210 156af36 176->210 211 156af60-156af78 176->211 181 156ae34-156ae3b 177->181 182 156ae29-156ae31 177->182 180 156ae0b-156ae19 178->180 179->180 180->177 185 156ae3d-156ae45 181->185 186 156ae48-156ae4a call 156a0bc 181->186 182->181 185->186 189 156ae4f-156ae51 186->189 191 156ae53-156ae5b 189->191 192 156ae5e-156ae63 189->192 191->192 193 156ae65-156ae6c 192->193 194 156ae81-156ae8e 192->194 193->194 196 156ae6e-156ae7e call 156a0cc call 156a0dc 193->196 201 156ae90-156aeae 194->201 202 156aeb1-156aeb7 194->202 196->194 201->202 212 156af3a-156af5e 210->212 213 156af38-156af39 210->213 214 156af80-156afab GetModuleHandleW 211->214 215 156af7a-156af7d 211->215 212->211 213->212 216 156afb4-156afc8 214->216 217 156afad-156afb3 214->217 215->214 217->216 219->173 220->173
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0156AF9E
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578653201.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_1560000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 2ae319b036e5a6daa34aa31a18f649201539e66f117a2f99ea3e0ed99ae5f8a3
                                                    • Instruction ID: dabc89f7838f224fd132ecea69dc39107bf5540689015fec1e1ed9049e5ef3a3
                                                    • Opcode Fuzzy Hash: 2ae319b036e5a6daa34aa31a18f649201539e66f117a2f99ea3e0ed99ae5f8a3
                                                    • Instruction Fuzzy Hash: 3E815670A00B058FEB24DF69D44479ABBF5FF88204F008A2DD59AABA40D775E849CBD1
                                                    Function 0156590D Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 221 156590d-1565916 222 1565918-15659d9 CreateActCtxA 221->222 224 15659e2-1565a3c 222->224 225 15659db-15659e1 222->225 232 1565a3e-1565a41 224->232 233 1565a4b-1565a4f 224->233 225->224 232->233 234 1565a60 233->234 235 1565a51-1565a5d 233->235 236 1565a61 234->236 235->234 236->236
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 015659C9
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578653201.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_1560000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: b593c6ba55392e46658ec5f0943edcc44e945bab2e0a378fd59715e858ffaebc
                                                    • Instruction ID: f7a2dfd7d04f834cf93cf3e9117801b6d4e83cc33939a458af62c354faca2432
                                                    • Opcode Fuzzy Hash: b593c6ba55392e46658ec5f0943edcc44e945bab2e0a378fd59715e858ffaebc
                                                    • Instruction Fuzzy Hash: FF41E070C00719CBEB24DFAAC884B8EFBB5BF49304F20816AD409AB250DBB55949CF91
                                                    Function 015644E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 238 15644e4-15659d9 CreateActCtxA 241 15659e2-1565a3c 238->241 242 15659db-15659e1 238->242 249 1565a3e-1565a41 241->249 250 1565a4b-1565a4f 241->250 242->241 249->250 251 1565a60 250->251 252 1565a51-1565a5d 250->252 253 1565a61 251->253 252->251 253->253
                                                    APIs
                                                    • CreateActCtxA.KERNEL32(?), ref: 015659C9
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578653201.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_1560000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: Create
                                                    • String ID:
                                                    • API String ID: 2289755597-0
                                                    • Opcode ID: 27d9cd5cc7c60cfbb233be24d8249be035830ad857ad43963551ac56e0f68b99
                                                    • Instruction ID: f47f45e2db5f39faaef6dde90d7b595860607d03d185388270c55256dcf7f07d
                                                    • Opcode Fuzzy Hash: 27d9cd5cc7c60cfbb233be24d8249be035830ad857ad43963551ac56e0f68b99
                                                    • Instruction Fuzzy Hash: 2E41D270C00719CFEB24DFA9C844B9EBBF5BF49704F20846AD409AB251DBB15945CF91
                                                    Function 0156D6E1 Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 255 156d6e1-156d6e8 256 156d6a4-156d6b4 DuplicateHandle 255->256 257 156d6ea-156d80e 255->257 258 156d6b6-156d6bc 256->258 259 156d6bd-156d6da 256->259 258->259
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0156D6A7
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578653201.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_1560000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 77912f2ee8118995bc0c887b8b5b26ab41c6cd399e44a41e93b8dcba67d3d9cd
                                                    • Instruction ID: 756b85db264a067a11ae856aedbfd2168e4091cc81da3945244c68a1e1544537
                                                    • Opcode Fuzzy Hash: 77912f2ee8118995bc0c887b8b5b26ab41c6cd399e44a41e93b8dcba67d3d9cd
                                                    • Instruction Fuzzy Hash: 90317C74AC0384DFE3059F61E4657693BBAF7C8710F10893AE9258B3D8DBB488A5CB50
                                                    Function 071F6738 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 274 71f6738-71f678e 277 71f679e-71f67dd WriteProcessMemory 274->277 278 71f6790-71f679c 274->278 280 71f67df-71f67e5 277->280 281 71f67e6-71f6816 277->281 278->277 280->281
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071F67D0
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: d2c55c55e101a70bb2ee1d4a5b9bb3ce98614535082f20136a2f57292e8a36f7
                                                    • Instruction ID: 571eeb9e5ca9fc7e797145272e16c578e3fd876416584382721bdcb432d77506
                                                    • Opcode Fuzzy Hash: d2c55c55e101a70bb2ee1d4a5b9bb3ce98614535082f20136a2f57292e8a36f7
                                                    • Instruction Fuzzy Hash: A12148B59003499FDB10CFA9C885BDEBBF4FF48310F10882AE519A7240C7789544CBA5
                                                    Function 071F6740 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 285 71f6740-71f678e 287 71f679e-71f67dd WriteProcessMemory 285->287 288 71f6790-71f679c 285->288 290 71f67df-71f67e5 287->290 291 71f67e6-71f6816 287->291 288->287 290->291
                                                    APIs
                                                    • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071F67D0
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessWrite
                                                    • String ID:
                                                    • API String ID: 3559483778-0
                                                    • Opcode ID: e9e176397cd655847ade3f8133bb10994270f5df7fbf28bcecf3ed3c0a65eff3
                                                    • Instruction ID: cbaa5300fdb32b9fbd25fc8f25d9d8393eb70dac1ee69ac8cb627e36a1fe605e
                                                    • Opcode Fuzzy Hash: e9e176397cd655847ade3f8133bb10994270f5df7fbf28bcecf3ed3c0a65eff3
                                                    • Instruction Fuzzy Hash: 8A2125B5900359DFDB10CFAAC885BDEBBF5FF48310F14882AE919A7240C7789954CBA5
                                                    Function 071F65A0 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 295 71f65a0-71f65f3 298 71f65f5-71f6601 295->298 299 71f6603-71f6633 Wow64SetThreadContext 295->299 298->299 301 71f663c-71f666c 299->301 302 71f6635-71f663b 299->302 302->301
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071F6626
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: de3e6b2fd0340d1225e737400ca5c0cfadfcf50e7c46a638d3e31c258d8e49fa
                                                    • Instruction ID: fa2f9558e000ae2cc990762943d74f596bf88f40d3b8c41f489bdec53ec39886
                                                    • Opcode Fuzzy Hash: de3e6b2fd0340d1225e737400ca5c0cfadfcf50e7c46a638d3e31c258d8e49fa
                                                    • Instruction Fuzzy Hash: EF213AB1D003099FDB10DFAAC8457EEBBF4AF48324F14842AD519A7381D7789945CFA5
                                                    Function 071F6828 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 306 71f6828-71f68bd ReadProcessMemory 310 71f68bf-71f68c5 306->310 311 71f68c6-71f68f6 306->311 310->311
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071F68B0
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: c1b95c073e02c9bbde1e55fa0be32ea4ce0d485c4227196eba2e50b32a63179f
                                                    • Instruction ID: 0056d5d6668b7ca180bd22509a3180d96a4073b9ea5c4896c77d908750969c96
                                                    • Opcode Fuzzy Hash: c1b95c073e02c9bbde1e55fa0be32ea4ce0d485c4227196eba2e50b32a63179f
                                                    • Instruction Fuzzy Hash: 1F2125B1C003499FDB10CFAAC881BEEBBF5FF48310F14842AE559A7240C7799540DBA5
                                                    Function 0156D619 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 315 156d619-156d61e 316 156d622-156d6b4 DuplicateHandle 315->316 317 156d620-156d621 315->317 318 156d6b6-156d6bc 316->318 319 156d6bd-156d6da 316->319 317->316 318->319
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0156D6A7
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578653201.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_1560000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 6bd27f5443e94fdae73f6c64b8c28c4b96db829ecf5b14bf2ed4ca12a40cc700
                                                    • Instruction ID: b9625bb882c5bb298ae3d811112109e8deb92c23df7b3524171befac18463cb6
                                                    • Opcode Fuzzy Hash: 6bd27f5443e94fdae73f6c64b8c28c4b96db829ecf5b14bf2ed4ca12a40cc700
                                                    • Instruction Fuzzy Hash: 8F21E5B5900249DFDB10CFAAD884ADEBBF8FB48310F14841AE958A7350D374A944CFA5
                                                    Function 071F65A8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 322 71f65a8-71f65f3 324 71f65f5-71f6601 322->324 325 71f6603-71f6633 Wow64SetThreadContext 322->325 324->325 327 71f663c-71f666c 325->327 328 71f6635-71f663b 325->328 328->327
                                                    APIs
                                                    • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071F6626
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: ContextThreadWow64
                                                    • String ID:
                                                    • API String ID: 983334009-0
                                                    • Opcode ID: 38b384c8cc0c9a89305f6e844ff30d413b3f66dfcc03219c15f86e451ddae34f
                                                    • Instruction ID: c5b01275172a78aafdb9bf99b3cff3a8d39504a065f25f2e5ea1de12af071bfd
                                                    • Opcode Fuzzy Hash: 38b384c8cc0c9a89305f6e844ff30d413b3f66dfcc03219c15f86e451ddae34f
                                                    • Instruction Fuzzy Hash: CB2127B1D003099FDB10DFAAC8857EEBBF4EF48320F14842AD519A7281CB789945CFA5
                                                    Function 071F6830 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 332 71f6830-71f68bd ReadProcessMemory 335 71f68bf-71f68c5 332->335 336 71f68c6-71f68f6 332->336 335->336
                                                    APIs
                                                    • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071F68B0
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: MemoryProcessRead
                                                    • String ID:
                                                    • API String ID: 1726664587-0
                                                    • Opcode ID: 380f32aad8c282093906373d5384d32bceb6210889e0e55a471b94a265662383
                                                    • Instruction ID: 2488ef2a2c8c6c6176764c36434bac86faa85fb55c7ba96e9650ad6edf3271c4
                                                    • Opcode Fuzzy Hash: 380f32aad8c282093906373d5384d32bceb6210889e0e55a471b94a265662383
                                                    • Instruction Fuzzy Hash: 162103B1C003499FDB10DFAAC881BEEBBF5BF48310F14882AE519A7240C7799940DBA5
                                                    Function 0156D620 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0156D6A7
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578653201.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_1560000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 60690603a0b13fc06652cd34b492e4e300768afb1f75b1a0d3617d7ccd2c48b1
                                                    • Instruction ID: 7bb90f53c0ec31235577d4a7927991b96e4fbadac9a38e2af4857588920db3b2
                                                    • Opcode Fuzzy Hash: 60690603a0b13fc06652cd34b492e4e300768afb1f75b1a0d3617d7ccd2c48b1
                                                    • Instruction Fuzzy Hash: EF21C6B5900349DFDB10CF9AD484ADEBBF8FB48310F14841AE958A7350D375A954CFA5
                                                    Function 071F6679 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071F66EE
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: e73bd4ee35c3010f4601c09b1120cc4607be3f36b0a177fc5340235c7dba3702
                                                    • Instruction ID: fee5fd2e313f744ebb445e74dfb2b9ae47b430739837ebec04caf0965c327d6d
                                                    • Opcode Fuzzy Hash: e73bd4ee35c3010f4601c09b1120cc4607be3f36b0a177fc5340235c7dba3702
                                                    • Instruction Fuzzy Hash: CD111771900349DFDB20DFAAD844BDFBBF5AB48320F14881AE519A7250D7759950CFA1
                                                    Function 071F6680 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071F66EE
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: AllocVirtual
                                                    • String ID:
                                                    • API String ID: 4275171209-0
                                                    • Opcode ID: 7d84977ae25fa8d4535eb63d94b1db86d32cb1f6bf266b9ac2f59467702fde75
                                                    • Instruction ID: 78b5f9904304cc617c8ae66e1f4c5a8000d2c492b87d68adbc16799bf8e08ef8
                                                    • Opcode Fuzzy Hash: 7d84977ae25fa8d4535eb63d94b1db86d32cb1f6bf266b9ac2f59467702fde75
                                                    • Instruction Fuzzy Hash: AC112671800349DFDB20DFAAD844BDFBBF5AB48320F148819E519A7250C7759540CBA1
                                                    Function 071F60B9 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: adabdb6cb79cc533a6c1b56f27dae45a2546549a106b2001d9e54e5ec9975e56
                                                    • Instruction ID: c2dd6bc4f62c5aa38afd022378e393900d8701dc0fbf4cc3f0199c106c151f11
                                                    • Opcode Fuzzy Hash: adabdb6cb79cc533a6c1b56f27dae45a2546549a106b2001d9e54e5ec9975e56
                                                    • Instruction Fuzzy Hash: 9A116AB1D003498FDB20DFAAD8457DFFBF4AF88210F24881AD519A7240CB79A900CF95
                                                    Function 071F60C0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: ResumeThread
                                                    • String ID:
                                                    • API String ID: 947044025-0
                                                    • Opcode ID: 2baa7556b3f70fbbc0593aa081147968f688830caacf52e56ca7913eb125a8b5
                                                    • Instruction ID: 1e5acd437b4df7c06393fab99812d52fe665c80af0452b449dc2abf07853a9dc
                                                    • Opcode Fuzzy Hash: 2baa7556b3f70fbbc0593aa081147968f688830caacf52e56ca7913eb125a8b5
                                                    • Instruction Fuzzy Hash: 42113AB1D007498FDB20DFAAD44579FFBF4AB88210F248819D519A7240CB75A540CB95
                                                    Function 071F96E8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 071F974D
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: d3421eca156c14a9cb87fa450e716adb6dfe3df46662fcb326937413b7b69012
                                                    • Instruction ID: 795704797208da10656760a88e84dac09fce3c0f5e88113a5a00b8a877c6dfc7
                                                    • Opcode Fuzzy Hash: d3421eca156c14a9cb87fa450e716adb6dfe3df46662fcb326937413b7b69012
                                                    • Instruction Fuzzy Hash: 7F1103B5800349DFDB20DF9AD885BDEFBF8EB48314F24841AE519A7241C375A544CFA1
                                                    Function 071F52E0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,?), ref: 071F974D
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585778970.00000000071F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_71f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: MessagePost
                                                    • String ID:
                                                    • API String ID: 410705778-0
                                                    • Opcode ID: 49dcb488efc856caebab64f79ee719cda6fcbf6fa8d9d185fd66f22ca6ccad8c
                                                    • Instruction ID: 0c78f1ef385926a17206642737ca304dc2e5309adbe6cfe34278d6e9fffb149e
                                                    • Opcode Fuzzy Hash: 49dcb488efc856caebab64f79ee719cda6fcbf6fa8d9d185fd66f22ca6ccad8c
                                                    • Instruction Fuzzy Hash: 3D1103B5800349DFDB20EF9AD484BDEBBF8EB48320F108459E519A7340C3B5A944CFA5
                                                    Function 0156AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0156AF9E
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578653201.0000000001560000.00000040.00000800.00020000.00000000.sdmp, Offset: 01560000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_1560000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: af5e3e6bee1b5382a152eed0d649ac4eaeb0482ee80d054ca3bc8550fa2dd941
                                                    • Instruction ID: 9334a94f1555d5b79adef32d908e61041c372f36edf6ecc28143cade771d744c
                                                    • Opcode Fuzzy Hash: af5e3e6bee1b5382a152eed0d649ac4eaeb0482ee80d054ca3bc8550fa2dd941
                                                    • Instruction Fuzzy Hash: 9811DFB5C007498FDB24CF9AD444BDEFBF8AB88214F14841AD929B7250C3B9A545CFA6
                                                    Function 070F3BE0 Relevance: .4, Instructions: 448COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 622460f00bf6a232c7b764f0c83346911f052f9e43e5967e4536259840256a4a
                                                    • Instruction ID: 6a5e4725e55269edd91c8840ecfe5a1713802544b4b8a607e8827ff54b77e9cb
                                                    • Opcode Fuzzy Hash: 622460f00bf6a232c7b764f0c83346911f052f9e43e5967e4536259840256a4a
                                                    • Instruction Fuzzy Hash: 06125BB0A00249DFCB54CFA8D884AAEBBF1BF88314F148659E915DB761DB31EC41CB50
                                                    Function 070F7BF8 Relevance: .4, Instructions: 400COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dabf15c783c203b8bc91149386a3714e9da560eaf1f4c4256aa7c25f6e96165a
                                                    • Instruction ID: 5c3ba77ed31dbcf1579dc969fb68a64bcbacee96bac508451b644708573c1a02
                                                    • Opcode Fuzzy Hash: dabf15c783c203b8bc91149386a3714e9da560eaf1f4c4256aa7c25f6e96165a
                                                    • Instruction Fuzzy Hash: D5F13BB1A00219CFCB14CFACD584AADBBF6FF88310B5A9169E505AB761CB31EC41CB51
                                                    Function 070F5AF0 Relevance: .3, Instructions: 335COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: befea776cb05cf45161819fe576bca98c1ef6b757fe8222db883ee29b9b867e0
                                                    • Instruction ID: d939f69bcb1467ad1377a6fc22ecff93abad2cb50de680cdcc0d04e92117dd61
                                                    • Opcode Fuzzy Hash: befea776cb05cf45161819fe576bca98c1ef6b757fe8222db883ee29b9b867e0
                                                    • Instruction Fuzzy Hash: 1CC1E3B16002058FC714CF68CC84A6ABBF6FF85314F558666EA29DB791D731EC21CBA1
                                                    Function 070F2410 Relevance: .3, Instructions: 329COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7002ae5021490aeccd785291bad739e731790c0dec783832259c649ed5c10cd3
                                                    • Instruction ID: 6206aa26f068bd13f70ee98a097204330baecd48bdbc0d10afaa54d672f94409
                                                    • Opcode Fuzzy Hash: 7002ae5021490aeccd785291bad739e731790c0dec783832259c649ed5c10cd3
                                                    • Instruction Fuzzy Hash: 4DB1BBB53002169FDB15AF34D858B7E7BE6BB89600F148628EA06CB790DFB5DC41CB91
                                                    Function 070F5170 Relevance: .3, Instructions: 319COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ecdda5c3ccb8141170f428cf2d791cde545626f4ace15d7f8ae4791dc543c78a
                                                    • Instruction ID: 038d2d498d545fa80fd4bd1cb820bac9df74339c6be968d216d1c1266a5198cc
                                                    • Opcode Fuzzy Hash: ecdda5c3ccb8141170f428cf2d791cde545626f4ace15d7f8ae4791dc543c78a
                                                    • Instruction Fuzzy Hash: BCB184B03205128FDB649B29CC6873D3AE6EF86A05F19426AF313CFBA1DA65DC51C741
                                                    Function 070F3BD0 Relevance: .3, Instructions: 274COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 99f0e352973284ae24c6505b0670ab05ee3735f556f0fd4fe8eed8c0446ebfdd
                                                    • Instruction ID: abc294caa2e4318567a67bd333e0902b445077dd915f35ec1fc38701a86c44fe
                                                    • Opcode Fuzzy Hash: 99f0e352973284ae24c6505b0670ab05ee3735f556f0fd4fe8eed8c0446ebfdd
                                                    • Instruction Fuzzy Hash: 0DC14BB0A00249DFCB54CFA9D984AAEBBF2BF89314F148659E915EB761D730EC41CB50
                                                    Function 070F2970 Relevance: .2, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d49c904fc44313a8a5890656ab5f422ab772773bb421907dd58d3eb94bfc1ea9
                                                    • Instruction ID: 54919205a96ae62fef956ac38a5e4f1ed052a7dd33c3e6319d7f318ac4074b13
                                                    • Opcode Fuzzy Hash: d49c904fc44313a8a5890656ab5f422ab772773bb421907dd58d3eb94bfc1ea9
                                                    • Instruction Fuzzy Hash: 178190B4A00106CFCB58CF69C884AAEB7F1BF89310F148269DA16D7B64DB31E841CB91
                                                    Function 070F6D18 Relevance: .2, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 513f25ecf08f7beeebdea4c107901299dc667307a3e5051ded1d8405d4c3b22f
                                                    • Instruction ID: 840f7dd0a3d7495ce32884cb045039b963c8792ac5bbd28c5d4e45c234b01406
                                                    • Opcode Fuzzy Hash: 513f25ecf08f7beeebdea4c107901299dc667307a3e5051ded1d8405d4c3b22f
                                                    • Instruction Fuzzy Hash: A761C2B2710116CFCB54DF39C994A6A7BE9FF49204B0942AAE616CB761DB33DC00CB60
                                                    Function 070F41B0 Relevance: .2, Instructions: 201COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 69cbb7e230388aa4a7c7abe582eb90c8ed1b0c60692a481ccf792d0f675c8066
                                                    • Instruction ID: 58010a5b6c49b96b7d44a044b75f386156d036e886798ec92249dcc0c7012b50
                                                    • Opcode Fuzzy Hash: 69cbb7e230388aa4a7c7abe582eb90c8ed1b0c60692a481ccf792d0f675c8066
                                                    • Instruction Fuzzy Hash: 407137B47102868FCB55CF68C894A6E7BF5EF89250B1941A9FA16CB770DB70EC41CB90
                                                    Function 070FC63F Relevance: .2, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 27ff7ae4c9f285bd1a486a520bfd0f813535188aeb58334771c3faa49ed340cc
                                                    • Instruction ID: b07679ccf39312de800bdd50776d55ccca2ad6d2808b8861427d86b3e80c894b
                                                    • Opcode Fuzzy Hash: 27ff7ae4c9f285bd1a486a520bfd0f813535188aeb58334771c3faa49ed340cc
                                                    • Instruction Fuzzy Hash: 7851EEB0E0024D9FEB18DBA9D4517FFBAB2BF84710F108225E655A77C0CB745942CB91
                                                    Function 070F71B0 Relevance: .2, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c5ce1e4b406868e9337bbbeb7e6273cb5c26b150aec36dfca426b9ff203a090a
                                                    • Instruction ID: 1b51ece5cb9ce81ebd7dd569a3495eb4a0112080817090a0f404db72d54bf478
                                                    • Opcode Fuzzy Hash: c5ce1e4b406868e9337bbbeb7e6273cb5c26b150aec36dfca426b9ff203a090a
                                                    • Instruction Fuzzy Hash: ED618DB0E0034AEFDB16CFA5C5406DEBBF2AF8A300F649319E905BB641D770A941CB41
                                                    Function 070F8D74 Relevance: .2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 242269b60feef5d79df524198c06251d3e95cd87f73e2ca21d1b96471abfc560
                                                    • Instruction ID: 89f085613bba67f4e956c33512c4567c469538dc8d0b92fff326f0f3e4fd3654
                                                    • Opcode Fuzzy Hash: 242269b60feef5d79df524198c06251d3e95cd87f73e2ca21d1b96471abfc560
                                                    • Instruction Fuzzy Hash: 945192B5B006169FCB14DB79D848AAEBBF6EFC5320B148629E519DB390EF70DC058790
                                                    Function 070F86A0 Relevance: .2, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e620a04bf88c62843fe64c227bed9687ae9a8b16cd11336ca2e89942ee6def7e
                                                    • Instruction ID: 130e943f9bb9b46c1b612cac038af3bad8ce44b00ae6ea556524d7da64d979a9
                                                    • Opcode Fuzzy Hash: e620a04bf88c62843fe64c227bed9687ae9a8b16cd11336ca2e89942ee6def7e
                                                    • Instruction Fuzzy Hash: B751B135F002189FD704ABB8E4466EDBBB2BFC8700F55C5A9D892AB385CF346D498791
                                                    Function 070F86B0 Relevance: .2, Instructions: 152COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f4c37de4f78334201e32e3a9b8397037a8b820474cce7e8f762ca851f54a94d
                                                    • Instruction ID: 2be3b02eb8425d71e864c4b52e2f805bb881004a0113b9e23d5f21f8e1b9ad99
                                                    • Opcode Fuzzy Hash: 9f4c37de4f78334201e32e3a9b8397037a8b820474cce7e8f762ca851f54a94d
                                                    • Instruction Fuzzy Hash: 1A51AF31F002189FD704ABB8E4456ADBBB2BBC9700F55C5A9E8826B385CF356E498781
                                                    Function 070F71A0 Relevance: .1, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 565f5a1ed43b48649c6dbe16ca403e84e3c7523e76913b2cc08b71ee40e37124
                                                    • Instruction ID: b93ade59e7752f7b747c6dcacd27ac86f503bed865ea864356cae6795bf60c60
                                                    • Opcode Fuzzy Hash: 565f5a1ed43b48649c6dbe16ca403e84e3c7523e76913b2cc08b71ee40e37124
                                                    • Instruction Fuzzy Hash: 6B518CB4E0074AEFDB16CFA5C5406DDBBF2AF8A300F64921AE945BB641D370A981CF41
                                                    Function 070F6383 Relevance: .1, Instructions: 126COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3437660d722abe80b2d3fa21a4d98f913525675a35a90d914af94613a199e0e2
                                                    • Instruction ID: 8cbafe195553884c4b7c15586b5c3951fc75bfab75a8def43906321d0f405e78
                                                    • Opcode Fuzzy Hash: 3437660d722abe80b2d3fa21a4d98f913525675a35a90d914af94613a199e0e2
                                                    • Instruction Fuzzy Hash: CC41C3B1A00249DFCF11DFA4C844BADBFB2EF45310F048265EA15EB691D772E954CBA0
                                                    Function 070F78D8 Relevance: .1, Instructions: 124COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00945c56d7c0781798b57057b6beeb6061d7127d6428218b3a9bd6923700b885
                                                    • Instruction ID: 5b724ddb0425cff338c7cfd6bd5343c08aa6d2e830e0b03156d20a999694a9b1
                                                    • Opcode Fuzzy Hash: 00945c56d7c0781798b57057b6beeb6061d7127d6428218b3a9bd6923700b885
                                                    • Instruction Fuzzy Hash: 5B41F0717002049FDB189B68D854BAE7BF6BBC8210F545169E606DB790CF31DC42CBA1
                                                    Function 070F88D6 Relevance: .1, Instructions: 107COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 56d36643afcb62d10693b94c398c9de0ffce47ed182f028fe772c6fa63d6ebed
                                                    • Instruction ID: 1fa4898baf3b9d654e8f6615c8cea23aa2e6a5520b69d0042ac4bd0033cb845c
                                                    • Opcode Fuzzy Hash: 56d36643afcb62d10693b94c398c9de0ffce47ed182f028fe772c6fa63d6ebed
                                                    • Instruction Fuzzy Hash: 9731057171C3844FD7059BB4A8193B97FE5EB86211F09C5ABE182CB7D2CE288C05C762
                                                    Function 070F4FD0 Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 261e74aadc4c5d2e903ca426a859b7773917d0d79f96781bba2577487980dbfe
                                                    • Instruction ID: b5d40d4346d549a8067ba507cfaa8de7a7a2e84ffd7d2d2378efce5855e549de
                                                    • Opcode Fuzzy Hash: 261e74aadc4c5d2e903ca426a859b7773917d0d79f96781bba2577487980dbfe
                                                    • Instruction Fuzzy Hash: C73108B03102058FDB29CB74DC9473D7BA6FB82701B15466AE216CBB81EB26DC5087D1
                                                    Function 070F14A8 Relevance: .1, Instructions: 101COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 18ab8c2b467d9f2b83316f890d338b2f178ab497f3a2a5a0b1a14df4ddac8d22
                                                    • Instruction ID: b23a0eabbbfc955edb95ac2a1368ea524bcd626eb0d7739c8009dce77315c087
                                                    • Opcode Fuzzy Hash: 18ab8c2b467d9f2b83316f890d338b2f178ab497f3a2a5a0b1a14df4ddac8d22
                                                    • Instruction Fuzzy Hash: BD31CE7520014EDFCB05AFA8E494ABF7FB2FB89204F404128FA168B340CB35D961DBA1
                                                    Function 070FB834 Relevance: .1, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 24f4b36e65fcf09f9f4c5821e11e24edb22c22bfa9949b84695bd60e7f5628b8
                                                    • Instruction ID: 4d5f14b2fe9d77a55cc80277ca7a0db22faf4a132f9a91683fffa475e7268eaf
                                                    • Opcode Fuzzy Hash: 24f4b36e65fcf09f9f4c5821e11e24edb22c22bfa9949b84695bd60e7f5628b8
                                                    • Instruction Fuzzy Hash: 423158B1900309AFDB10DFA9D844ADEBFF9EB48310F14842AE519E7310D774A944CFA5
                                                    Function 070FD5A8 Relevance: .1, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f6d0bf38496b73510546c7015b8af7936cd6b3c44ca1439d9ae991ae40765e1
                                                    • Instruction ID: 755fc25064cb3f12ac02467eddd193c805dbd22a266654ad3e0409a6cb5040aa
                                                    • Opcode Fuzzy Hash: 9f6d0bf38496b73510546c7015b8af7936cd6b3c44ca1439d9ae991ae40765e1
                                                    • Instruction Fuzzy Hash: 543121B0B18659CFC714CB69C4206BEBBF2FF46605F10826BD1AAE7A41D339D901CB61
                                                    Function 070F4448 Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 762c338a637ab766374b71d7897fca271011a8d01314ddb06c3363b5a0b2d4ca
                                                    • Instruction ID: 9f4cd1d3f611a57d3e738101296b551fe96f02a5d3f241962a4dedd4b6f29dab
                                                    • Opcode Fuzzy Hash: 762c338a637ab766374b71d7897fca271011a8d01314ddb06c3363b5a0b2d4ca
                                                    • Instruction Fuzzy Hash: 062128B53042528BDB247739946433F3AD79FC5914B184139FE02CBBA2FE25C8429741
                                                    Function 070F4458 Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 98138d00a514963059bbd1d55eecf8bca104238b2a393608a63ae721568e4260
                                                    • Instruction ID: 7c125f623d90de8f9d0cddf15372ea5874c0dd6a62eed0b6bd1f47fa60f89571
                                                    • Opcode Fuzzy Hash: 98138d00a514963059bbd1d55eecf8bca104238b2a393608a63ae721568e4260
                                                    • Instruction Fuzzy Hash: F421C2713002568BEB24772994A437F76D7AFC5A14F144139FE06CFBA6EE65CC829780
                                                    Function 070F7BE8 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4ceab2f9b61db06c7949ea1acc5084bb656b69607ac9f962da755e5586433fc3
                                                    • Instruction ID: ef8b653ece46653fb28a3eb1e22fd1879c8e37a1fea7e307333e51bf8221be9e
                                                    • Opcode Fuzzy Hash: 4ceab2f9b61db06c7949ea1acc5084bb656b69607ac9f962da755e5586433fc3
                                                    • Instruction Fuzzy Hash: 1B3173B0A005158FCB08DF6CC8849AEBBF6FF84320B558259E515DB7A1DB34EC52CB91
                                                    Function 070F8918 Relevance: .1, Instructions: 84COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b32ec359c9eff4b1913f58c9f3c556f27859dcbe28cd505fbfa46b95c0d8749a
                                                    • Instruction ID: f7ac9f6dbed7829f4fcab97d7e05b927558e8f17bd58ce1c46fa2caa13d087de
                                                    • Opcode Fuzzy Hash: b32ec359c9eff4b1913f58c9f3c556f27859dcbe28cd505fbfa46b95c0d8749a
                                                    • Instruction Fuzzy Hash: F221F1317142088FD7049BF8A81937E3EE6ABC9211F04DA3AF546C7BC1CE748C018792
                                                    Function 0104D4C4 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1577204338.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_104d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 227f46dcbe74eabf43d135c05b15818d330b5424513800578fb7ec0f77e3d46c
                                                    • Instruction ID: df4b7cff0457cbaaf49a866d4d2959249334dd88c545f5cd55299d12b9a22168
                                                    • Opcode Fuzzy Hash: 227f46dcbe74eabf43d135c05b15818d330b5424513800578fb7ec0f77e3d46c
                                                    • Instruction Fuzzy Hash: 8B2136B1500244EFDB01DF54D8C0B2ABFA1FBD4318F20C1B9E8490B246C736D456CBA2
                                                    Function 0104D3D8 Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1577204338.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_104d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1cf924f204b5355eb290a86ec2f505ddf4d5de93c7e8526df8563334e292317b
                                                    • Instruction ID: ceb6e4fc0ec45de6a56fe3f8f47530d37d6f10a8e4d5d7c348eaee0e2025596d
                                                    • Opcode Fuzzy Hash: 1cf924f204b5355eb290a86ec2f505ddf4d5de93c7e8526df8563334e292317b
                                                    • Instruction Fuzzy Hash: 722106B1500204DFDB05DF94D9C0B5ABBA5FBD4324F24C1B9E9490B256C736E456CBA2
                                                    Function 070F27D8 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8dcdc087f56a6b449a94844e6ba49360cd49ef596d8acb5497bea7b4a77f53de
                                                    • Instruction ID: 98d7e74ccacc79059754f30a385d5026438550f8dd2422f38e6340ea12a78749
                                                    • Opcode Fuzzy Hash: 8dcdc087f56a6b449a94844e6ba49360cd49ef596d8acb5497bea7b4a77f53de
                                                    • Instruction Fuzzy Hash: 53210275701616CBC725AA65D4A893EBBE2FF896607084279E61ACB794CF30DC03C7C0
                                                    Function 0122D1D4 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578305650.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_122d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 62748d8798cc957a1a8e0f9c49205f027c2c11c5ce961ef1c0e22bf4a1faba1d
                                                    • Instruction ID: d93c27ed685e2327709836c6639313d9a5c0ceff0103d1381ba604b693735584
                                                    • Opcode Fuzzy Hash: 62748d8798cc957a1a8e0f9c49205f027c2c11c5ce961ef1c0e22bf4a1faba1d
                                                    • Instruction Fuzzy Hash: 11214971514308FFEB05DFA4D9C0B29BB65FB85324F20C66DE9094B243C376D806CA62
                                                    Function 0122D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578305650.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_122d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e21dd99dd6d76cf58e674c8bb042edd8ff4c5979bb110d41b1d271cd932903fe
                                                    • Instruction ID: c315fa1897340479394c7ca900edab1db31bb77eb822a89d789084dd33f8967c
                                                    • Opcode Fuzzy Hash: e21dd99dd6d76cf58e674c8bb042edd8ff4c5979bb110d41b1d271cd932903fe
                                                    • Instruction Fuzzy Hash: E6213771514348EFDB15DFA4D8C0B1ABB61FB84314F20C56DE9090B266C37BD507CA62
                                                    Function 070F98C0 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29212e85dc2a8667bc1795feee60f3448d876c07c9268dfc7b3d53ba805ddee6
                                                    • Instruction ID: 6c3758801891e573e126b01272881a1646acd70e42a4bfdc83e14da89bf8af43
                                                    • Opcode Fuzzy Hash: 29212e85dc2a8667bc1795feee60f3448d876c07c9268dfc7b3d53ba805ddee6
                                                    • Instruction Fuzzy Hash: D1212BB0B28209DFD7549ABD984473E3BEAEBC9611F514239E606E7384DF709D018792
                                                    Function 070F1498 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2f1fb1302ef1e7cd7c2e3da9764e849f66bfab347913ed85170429f04b9e0c78
                                                    • Instruction ID: 4d8f1d8364141b3c9c6b7fc6cdbecef1ddf0765ec103ab395aaede1dfd629147
                                                    • Opcode Fuzzy Hash: 2f1fb1302ef1e7cd7c2e3da9764e849f66bfab347913ed85170429f04b9e0c78
                                                    • Instruction Fuzzy Hash: AD21D1B660424EDFCB40AF68E495BAF7BB1EB86714F004138F9068B740CB78D855CBA1
                                                    Function 070F98B1 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ea1879a028e372b2b1a829a1078ec80dafae59a8079d90beea30591044028b10
                                                    • Instruction ID: ff2b42c4a92ee5bb7df6c6a66161cd290ff406f9674e178f9034a960c34c299f
                                                    • Opcode Fuzzy Hash: ea1879a028e372b2b1a829a1078ec80dafae59a8079d90beea30591044028b10
                                                    • Instruction Fuzzy Hash: 911136B0B28305DFD7148EB99844B7E3BBAEBC9201F11467EE606E7384DF7199018792
                                                    Function 070FA4C7 Relevance: .1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 560b140368d566a98535bba5d34b3b50d571e77c90aa4e547a66c4a2ccb56bdf
                                                    • Instruction ID: 77f5d9fd4d569301341c9e23cf85ad56f5ecec4f399f323711f3b278ee7a7327
                                                    • Opcode Fuzzy Hash: 560b140368d566a98535bba5d34b3b50d571e77c90aa4e547a66c4a2ccb56bdf
                                                    • Instruction Fuzzy Hash: 7B31E0B0D01318DFDB20CFA9C984B8EBBF4AF49714F24851AE408BB280C7B55845CBA1
                                                    Function 070FD4D8 Relevance: .1, Instructions: 66COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 25ce2e50fdf4b7c021641264bbb683b442b9de9780e218c1f06cb916b96e0b81
                                                    • Instruction ID: e9ad409beb15654c495e8638cc498814ba19ce3eec951aeab397215543838006
                                                    • Opcode Fuzzy Hash: 25ce2e50fdf4b7c021641264bbb683b442b9de9780e218c1f06cb916b96e0b81
                                                    • Instruction Fuzzy Hash: 54113D707043009FE7195B298829B2A7B97AFC5F04F5581A6E203CF7D1CAB4DC4087E1
                                                    Function 070F5839 Relevance: .1, Instructions: 65COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 516c3db020f3503afa19b6fc50fe993aa59cece6d052a348068dba068b414c8d
                                                    • Instruction ID: 7756fd606b46dda109a97ccf5d982857a8c5740b8e39cdf711a53aa85701da42
                                                    • Opcode Fuzzy Hash: 516c3db020f3503afa19b6fc50fe993aa59cece6d052a348068dba068b414c8d
                                                    • Instruction Fuzzy Hash: 272189B0E0120D9FDB05DFA5E994AEEBFF6AF88205F148029E461F7250DB319A41DF60
                                                    Function 070FA4D0 Relevance: .1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8f6b48ac02ea25217b711b652ba3684f25fd8778c4b5a12f68c6a9b375e92f01
                                                    • Instruction ID: 84012d7a78c92b023445e4c838f234550bbb2933e6d601f806f48835d194e10a
                                                    • Opcode Fuzzy Hash: 8f6b48ac02ea25217b711b652ba3684f25fd8778c4b5a12f68c6a9b375e92f01
                                                    • Instruction Fuzzy Hash: 4221D0B0D11318DFDB20CF9AC588B8EBBF4BB49714F24851AE508BB290C7B55845CFA5
                                                    Function 0122D006 Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578305650.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_122d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4c701f3d7fa54a02e5ce9aab35114cd7f046497c20befde2a3008935c7528536
                                                    • Instruction ID: 75298a8174b1937086c98055a43fda853e3f3609817809ae613942a633c45749
                                                    • Opcode Fuzzy Hash: 4c701f3d7fa54a02e5ce9aab35114cd7f046497c20befde2a3008935c7528536
                                                    • Instruction Fuzzy Hash: 6621B0714083849FCB02CF24D994715BF71EB46314F28C5DAD9498F2A7C33A980ACB62
                                                    Function 070F27C8 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d3e13a2de5a51e0058a776f9f1ae828c59783eab233a6d2f387aacada1d6779a
                                                    • Instruction ID: 6e9f65c8457c8a1326447a50109125a8b001836ba1e483b028e264a3600cb4f3
                                                    • Opcode Fuzzy Hash: d3e13a2de5a51e0058a776f9f1ae828c59783eab233a6d2f387aacada1d6779a
                                                    • Instruction Fuzzy Hash: 6E112576702512CFC715AA29D4A8B3E7BE2FF856517194279E60ADB750CF30DC038780
                                                    Function 070FA310 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3335c7f41b9a9a21199e6330bda3b7107b02a2db23096833b2b294c71b0384a1
                                                    • Instruction ID: b53954624dd8c2b2d486e63f9cfeac7e0fd71448097c5054c4f44177c16a3924
                                                    • Opcode Fuzzy Hash: 3335c7f41b9a9a21199e6330bda3b7107b02a2db23096833b2b294c71b0384a1
                                                    • Instruction Fuzzy Hash: F311C6B6B0061A9FCB10DA7998446BFB7F7EBC92507148628E518D7380EF309D058760
                                                    Function 070F78CB Relevance: .1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e09c1e51c553f5ccfa530ec22fce11ebbac8ff2bc8faee543194394ff1831353
                                                    • Instruction ID: c8c6a394178c838f357439a975e5ea2d1c5bb272cb48b7f0e150c3c0a45e5ac0
                                                    • Opcode Fuzzy Hash: e09c1e51c553f5ccfa530ec22fce11ebbac8ff2bc8faee543194394ff1831353
                                                    • Instruction Fuzzy Hash: 19118E76B102059FCB00CF64D849BADBBB6BB8C310F149129FA16E7790CB31AC10CBA0
                                                    Function 070FA240 Relevance: .1, Instructions: 58COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6bc135639e7596edb29e71923227029944bc5e17a4e6970ac54b13ac2deb43af
                                                    • Instruction ID: f7395ae4433ad86744e9354040859d9bc54c6d38cd467ec8ff7dcdeeefdfc67e
                                                    • Opcode Fuzzy Hash: 6bc135639e7596edb29e71923227029944bc5e17a4e6970ac54b13ac2deb43af
                                                    • Instruction Fuzzy Hash: 15111CB1B0021A8FCB95EBBDD8105EEB6F6AFC9710B508169C508E7240EB768D41CBA1
                                                    Function 070FD4C9 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c0a1581f754cefc268784d9ccd556dc214a13de823af3f65afdb410fcfdc57e4
                                                    • Instruction ID: d7f1cb6844365782f53c9ee697051e2a58fde3066056e512a7c91f2fb6525958
                                                    • Opcode Fuzzy Hash: c0a1581f754cefc268784d9ccd556dc214a13de823af3f65afdb410fcfdc57e4
                                                    • Instruction Fuzzy Hash: CF112BB0B40200DFE7244B64C82AB697397FBC5F04F558566E206DF6D5CAB4DC408B91
                                                    Function 070F8CF4 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 655db8924e9e84e9e1a89105172b6e655b671c30ef0e4905d2a71097b1a37009
                                                    • Instruction ID: fcf518b369e2b43d845637cc06fdc5305f5888a76096a7960d35034a64ab52d9
                                                    • Opcode Fuzzy Hash: 655db8924e9e84e9e1a89105172b6e655b671c30ef0e4905d2a71097b1a37009
                                                    • Instruction Fuzzy Hash: 6111EE1140E3D55FE303AB7CA8B01C97FB1AE9750870A85C3C1D4DE0A3E61858ACC3AB
                                                    Function 070FB844 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e44aa15a7bede5b6d45cf04b1adc5eef7ed2e3c26ebf8df558259f3c52c07b4f
                                                    • Instruction ID: 46c2c98ff8fa30d3ed93f105c6927bd6187e0841754d1083dca9ec242f7dc359
                                                    • Opcode Fuzzy Hash: e44aa15a7bede5b6d45cf04b1adc5eef7ed2e3c26ebf8df558259f3c52c07b4f
                                                    • Instruction Fuzzy Hash: 6F2103B5800349EFCB20CFAAD884BDEBBF4FB48310F10841AE919A7210D374A944CFA5
                                                    Function 0104D3D3 Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1577204338.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_104d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                    • Instruction ID: 5d28eb843da36fd73240cb2ca20bc0254ba10c8991e4b83f45c3989fb0139135
                                                    • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                    • Instruction Fuzzy Hash: A811DFB6404240DFCB02CF54D9C0B56BFB1FB94324F24C2A9D8490B657C33AE456CBA2
                                                    Function 0104D4BF Relevance: .1, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1577204338.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_104d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                    • Instruction ID: 33d7ce0356fda9255b0dd28f368b89d26a18d3687f0212ade3a2cec5d5b735e6
                                                    • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                    • Instruction Fuzzy Hash: A911DFB2504280DFCB02CF54D9C0B16BFB1FB94318F24C6A9D8490B657C336D456CBA2
                                                    Function 0122D1CF Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1578305650.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_122d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                    • Instruction ID: 0e8a5be45bcb7d3ab36ff45990bfddd800b5bd855af05636337a424dec8a2911
                                                    • Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                    • Instruction Fuzzy Hash: F211BB75904284EFDB02CF54C5C0B19FFA1FB85224F24C6A9D9494B697C33AD44ACB62
                                                    Function 070F8C50 Relevance: .1, Instructions: 52COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6b5e08e8fcb55c5df4e62ce73796b2c692c3464d62a9322675e8e7e105971b7b
                                                    • Instruction ID: 538bc59389f3185861692b2ad7b4ccb270799d42c5e510fe6cd4b7ced3aedd2c
                                                    • Opcode Fuzzy Hash: 6b5e08e8fcb55c5df4e62ce73796b2c692c3464d62a9322675e8e7e105971b7b
                                                    • Instruction Fuzzy Hash: 6601F7B122E365CFC3108E689C416AEBBE4EB56721F06C777E269CB6C1D239C84183D1
                                                    Function 070F6077 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7114ec9ce5c77f77b3a3b6898ff6fc499fac4e2e3b8feeda17f5f8d73dc0ac9b
                                                    • Instruction ID: 6244dd0ff1ec4530e97333d29ade44b8cf7f3ebc770f75ed0bfa627f9ca35a1e
                                                    • Opcode Fuzzy Hash: 7114ec9ce5c77f77b3a3b6898ff6fc499fac4e2e3b8feeda17f5f8d73dc0ac9b
                                                    • Instruction Fuzzy Hash: FA01A7B570010A9FDF40CAA8C844BFFB7F9EBC8310F14C525E601DB641D936D98187A0
                                                    Function 070F8C40 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d4897c3503125e52e2f5a16878bf3beb8f5be7fd6d5dcaee9a81a045caf472c0
                                                    • Instruction ID: 902b1ec7cc6d058363f361bde13e06e51c5b5c2ac0d171c485558abe186fbbff
                                                    • Opcode Fuzzy Hash: d4897c3503125e52e2f5a16878bf3beb8f5be7fd6d5dcaee9a81a045caf472c0
                                                    • Instruction Fuzzy Hash: F901DBF121E364CFC7104E69DC815AE76E5E756621F05C737E269C76C1D634C84143D1
                                                    Function 070F8469 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4156bea77e6fce50698eca62be7205ad0321538ab3b7b656d80fd591ea8a3cd5
                                                    • Instruction ID: 0c1d2ccf32ab1b40d0105da03e34dcc31a9e6bf41f6e518b9f425ba5968b6547
                                                    • Opcode Fuzzy Hash: 4156bea77e6fce50698eca62be7205ad0321538ab3b7b656d80fd591ea8a3cd5
                                                    • Instruction Fuzzy Hash: 73111770E0020DAFDB44EFA8D9517AEBFB2FB88204F1085B9C115AB250EB305A069B81
                                                    Function 070F6221 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5563adcfdb42f6a7ad5db231e8d3790e60b35e8b113df997e883f90c61c9c1c2
                                                    • Instruction ID: e2752b84045f8f51e34a85de6d9ee794681f6ed102d22fc9d5f87bcdd51957ad
                                                    • Opcode Fuzzy Hash: 5563adcfdb42f6a7ad5db231e8d3790e60b35e8b113df997e883f90c61c9c1c2
                                                    • Instruction Fuzzy Hash: 8801E976A0021D9FCF45CF99D9458DDBBF9EF88310F00812AE509EB254D7719919CB90
                                                    Function 070F1F70 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3647e74232ec5fba8893e123ed790a953d755d42015980e5f5b1e0f7b9b34fd0
                                                    • Instruction ID: 6a9b06466ae6e347d91c5db7a0185dc65144a529cd148070e80870f6c156e0a9
                                                    • Opcode Fuzzy Hash: 3647e74232ec5fba8893e123ed790a953d755d42015980e5f5b1e0f7b9b34fd0
                                                    • Instruction Fuzzy Hash: 35F0F4B7600109ABCB018E55EC00BEF7BAADBC9751F14C235F718C7680CB36C91297A0
                                                    Function 070F1F80 Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dcd214b03f256222520cdee04253004416eb4c543aae0ad30905d00ffcd395a1
                                                    • Instruction ID: df0b06946fe4957e904cc7101a78d058eccb887e97eda983904c8668c88b7aea
                                                    • Opcode Fuzzy Hash: dcd214b03f256222520cdee04253004416eb4c543aae0ad30905d00ffcd395a1
                                                    • Instruction Fuzzy Hash: 5101A2B2B00119AB8B159E59A810AAF7FEADBC9650F148229F705D7280CB75C91197A0
                                                    Function 0104D759 Relevance: .0, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1577204338.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_104d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58e05344189782bde4b8103ab7c3ad2de4f48c2b04e3a742fdf31bbb9478c251
                                                    • Instruction ID: d8ec5d9c0135967c52cf61558fd2915eba4500468c0667e27dd8ea44bc740009
                                                    • Opcode Fuzzy Hash: 58e05344189782bde4b8103ab7c3ad2de4f48c2b04e3a742fdf31bbb9478c251
                                                    • Instruction Fuzzy Hash: 9901FCB10043849BE7509BA9DCC4757BBD8FF51624F14C466ED490E287D3789440C772
                                                    Function 070F8478 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8d03df7eb86cc63078068f653e7af85b5f616145ba192a6abc087b3c1bf17f4d
                                                    • Instruction ID: d84557bdc76597826cb9265e7f113acc10020a9f315d37075080fd00b32842d7
                                                    • Opcode Fuzzy Hash: 8d03df7eb86cc63078068f653e7af85b5f616145ba192a6abc087b3c1bf17f4d
                                                    • Instruction Fuzzy Hash: 7F010C70E0020D9FDB44EFE8D5506EEBFB2FF48204F1085A9C115AB254EB305A069B81
                                                    Function 070F6F48 Relevance: .0, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f5c648dd131bce353739a3a11c065d067d76ee04694f9ca9acd35f821319d2e9
                                                    • Instruction ID: b1aea2f4605c5e220a7b95cf7adfec7715178ea0165d998e64a43886cc9281e7
                                                    • Opcode Fuzzy Hash: f5c648dd131bce353739a3a11c065d067d76ee04694f9ca9acd35f821319d2e9
                                                    • Instruction Fuzzy Hash: 0EF090B2B142155FCB24DE59C440ABE37E9DB88320F158276E629C7750C93AD8448791
                                                    Function 070FA884 Relevance: .0, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7ce7e52b8d57e38db23510910f440feedc19efa20810cbbcd727d53ba54ea166
                                                    • Instruction ID: e0a70ad95081b25c2c9ff49971f2e2bb2f313d3140db1e3f286102eef385724a
                                                    • Opcode Fuzzy Hash: 7ce7e52b8d57e38db23510910f440feedc19efa20810cbbcd727d53ba54ea166
                                                    • Instruction Fuzzy Hash: 40010CF1D0021ADFDB14CF69C8443ADBBF1AF46364F14C215E528AA690D3B44A86CB90
                                                    Function 0104D758 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1577204338.000000000104D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0104D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_104d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 685dc08e940d280903b1c8880f430a97c9455505619efe6a6b75b6212558e8c3
                                                    • Instruction ID: 5ef02b6288b8ab0c46e18f56c7ba94379fb27a28bf87188853db3355a116eae2
                                                    • Opcode Fuzzy Hash: 685dc08e940d280903b1c8880f430a97c9455505619efe6a6b75b6212558e8c3
                                                    • Instruction Fuzzy Hash: 3EF04471404744AFE7508A59D8C4B62FFE8EB51624F14C45AED484E287D275A844CBA1
                                                    Function 070FA278 Relevance: .0, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 915d6e708a86cc72f14dac5615c4ca69f7038fe1e3e055fdff74dc5fc37eae61
                                                    • Instruction ID: 3858402cf19ef7326a2e666ec29c14c21d758bdfd6ee1fc84a18a6a399883e56
                                                    • Opcode Fuzzy Hash: 915d6e708a86cc72f14dac5615c4ca69f7038fe1e3e055fdff74dc5fc37eae61
                                                    • Instruction Fuzzy Hash: F9F090B2B0024A8B8B89E6ECC8101EE72B3AFC56507648219C605A7754EF76DD02D791
                                                    Function 070FA890 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 00f4f3317620b4ae42fcf35feea30be7a28db5d412fdf392acc82f2ae1b63353
                                                    • Instruction ID: 7f5321260763c312b3f60a2cce59df3b13373236994f48b4b6f1f864d14d382c
                                                    • Opcode Fuzzy Hash: 00f4f3317620b4ae42fcf35feea30be7a28db5d412fdf392acc82f2ae1b63353
                                                    • Instruction Fuzzy Hash: 8B01ECF0D0021ADFEB14CF59C4043AE7AF1BF45350F10C225E528AA690D7B44A82CBD0
                                                    Function 070FA92B Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8602bfdb7a4ca4de977c8c4dd8bf63a84f10995247e8006db4e57a46b7afbade
                                                    • Instruction ID: 5cabb9fade301363581a3d6618e7b5399b42f4fac61271044f05567a79185393
                                                    • Opcode Fuzzy Hash: 8602bfdb7a4ca4de977c8c4dd8bf63a84f10995247e8006db4e57a46b7afbade
                                                    • Instruction Fuzzy Hash: 43F030B27002286F5318966EEC84D6BBBEEFBCD6743158179F548D7350D9719C0186A0
                                                    Function 070FBC78 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74ed6ce3b14d8a345273bd5216e4e9ee069f6f6180cfba197f24b73e8f78fd6c
                                                    • Instruction ID: 1afaa885a5fd58cbcb103c6046df95ca1294a2b2f9504f21ba53e4c695b155e6
                                                    • Opcode Fuzzy Hash: 74ed6ce3b14d8a345273bd5216e4e9ee069f6f6180cfba197f24b73e8f78fd6c
                                                    • Instruction Fuzzy Hash: ECF0E2F1A093849FDB05CBB0CC159AA7FF88B8210071944EBD905C7642E9308D0AC722
                                                    Function 070FBCD8 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e7bf0096d49405f60445747a85ca0dd485a2ee46186b499ec0c8122c9a825b0c
                                                    • Instruction ID: 2ce71e8b780be50bb90d7b97f3a732e549e7c7e2aaaae62ca8c05b7919da1fa5
                                                    • Opcode Fuzzy Hash: e7bf0096d49405f60445747a85ca0dd485a2ee46186b499ec0c8122c9a825b0c
                                                    • Instruction Fuzzy Hash: BCF027F2A04208AFCF05CFA4D84199E7FFAEF44214F0881ABE404D7321E6319D04CB51
                                                    Function 070FA930 Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c9d4c420514ef11f5b28586e580c81a6dd446791b88355a8fc23672245672c10
                                                    • Instruction ID: fa073525c66f40292cb35dc85efdcb6aef399c38bbad86e817c35b464387c1a0
                                                    • Opcode Fuzzy Hash: c9d4c420514ef11f5b28586e580c81a6dd446791b88355a8fc23672245672c10
                                                    • Instruction Fuzzy Hash: B9E0ED767042286F9318DA6EEC84D6BBBEEFBCD674355817AF548C7310D9719C01C6A0
                                                    Function 070FD383 Relevance: .0, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 843b4e743371f0527f95d092ec5a50fc9811f5f3b0d12fd3a68c0c2c7aac281a
                                                    • Instruction ID: 0c2e6ab74cc7015a09c7133f85a8f10606f376e052ca76c93f5e439e9dcebd52
                                                    • Opcode Fuzzy Hash: 843b4e743371f0527f95d092ec5a50fc9811f5f3b0d12fd3a68c0c2c7aac281a
                                                    • Instruction Fuzzy Hash: E1E026F2B04109CBE710AB98A4117A97765FBD2B01F90827AD341D7B48CB32C8068622
                                                    Function 070F2C13 Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53a30c34327bfa42178c930a680e0c2b26aa46e3a99816e7939faa0223b5f70e
                                                    • Instruction ID: 78d83746f570e314ffe65c837124054f1e6ae6fba2ff59e55b282ce6c8c3401b
                                                    • Opcode Fuzzy Hash: 53a30c34327bfa42178c930a680e0c2b26aa46e3a99816e7939faa0223b5f70e
                                                    • Instruction Fuzzy Hash: BAD0A73201024C07DA01FB74F85A7D4B775F7D4508F44A130E02406615DF6468488690
                                                    Function 070F2C20 Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9cd6803f7704e694707b5c0830db61ee5f97b818c74f058a122b1339b80a5e4b
                                                    • Instruction ID: 1fbc60282151ec08285d9eff7af1294ed4de62c0d41c6a1ea2b9e8fb43cef21c
                                                    • Opcode Fuzzy Hash: 9cd6803f7704e694707b5c0830db61ee5f97b818c74f058a122b1339b80a5e4b
                                                    • Instruction Fuzzy Hash: 66C0803101030D47DE01F7B9F9599D5777AF6C85087406530E43509529EF743C4C87D1
                                                    Function 070FF4A8 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05c30f668aad5535c0aa5587d49b6644b871962f28727cd67eae078024d0a63d
                                                    • Instruction ID: a5af0418c1997eb1560e0975deacebb24991143c9c27878f0b77ec0148c92ac6
                                                    • Opcode Fuzzy Hash: 05c30f668aad5535c0aa5587d49b6644b871962f28727cd67eae078024d0a63d
                                                    • Instruction Fuzzy Hash: 68C08C730003058BD72C3BB0AA0E32436A8AB42212F8000109208808B08EFCA4C0C699
                                                    Function 070F59C0 Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb943edec02841e0bf6bcbbe293941a586c13ca72c08c38c47c88a165fcd45f5
                                                    • Instruction ID: aeadd256b816f901ce6f830ffdd95122be02800232aa1dedde4fa5a4d7c18b90
                                                    • Opcode Fuzzy Hash: bb943edec02841e0bf6bcbbe293941a586c13ca72c08c38c47c88a165fcd45f5
                                                    • Instruction Fuzzy Hash: 8DB0920B6940404BEF1606609C263A66F72D366200FCCB9A0CDA095384D108981B6250
                                                    Function 070FA208 Relevance: .0, Instructions: 9COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b662863ed04c7d0d812cc47138ef0720454b89b8e1e3569204324166a2a7d9c1
                                                    • Instruction ID: 1d1b49e714f9a00514dde3b7512059eb84ea0328d72aa65d018242d4e999cadd
                                                    • Opcode Fuzzy Hash: b662863ed04c7d0d812cc47138ef0720454b89b8e1e3569204324166a2a7d9c1
                                                    • Instruction Fuzzy Hash: A1C04CBA2192C09ED7477F249C21D82BF72BF62208349A6D3D1905B9B3D515C82CD726
                                                    Function 070FBCB0 Relevance: .0, Instructions: 8COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000A.00000002.1585449665.00000000070F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070F0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_10_2_70f0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 884848de8acadd93480012ba7914022f5f904b9a33d1b774e7e6467c9dac4f37
                                                    • Instruction ID: 147aeb7346af8b2e53e79cd2188afd220d2fae70bcd40c9791bb57481a08c42e
                                                    • Opcode Fuzzy Hash: 884848de8acadd93480012ba7914022f5f904b9a33d1b774e7e6467c9dac4f37
                                                    • Instruction Fuzzy Hash: 09C04C9616D3C18EE306577458215923F2089B250834D64978294965A3D514401DD63A

                                                    Execution Graph

                                                    Execution Coverage:11.5%
                                                    Dynamic/Decrypted Code Coverage:100%
                                                    Signature Coverage:0%
                                                    Total number of Nodes:3
                                                    Total number of Limit Nodes:0
                                                    execution_graph 29070 64ce280 29071 64ce2c6 GlobalMemoryStatusEx 29070->29071 29072 64ce2f6 29071->29072

                                                    Executed Functions

                                                    Function 02DA9B38 Relevance: 3.1, Instructions: 3065COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 143023a15e122667a62f30d9faa6f065b7978ece552a64e8ab29bc592005befd
                                                    • Instruction ID: 3febf02f98929210527cb61cf36b69298628afff2d9ccfaa707af50ee91dd087
                                                    • Opcode Fuzzy Hash: 143023a15e122667a62f30d9faa6f065b7978ece552a64e8ab29bc592005befd
                                                    • Instruction Fuzzy Hash: 55631E31D10B1A8ADB11EF68C8946A9F7B1FF99310F11C79AE45977221FB70AAC4CB41
                                                    Function 02DACDB0 Relevance: 2.3, Instructions: 2309COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e13d8096b4c1a977f58bb4f53c01dab574ffaf12242d6dcf5f2b32f985659fb9
                                                    • Instruction ID: 23f1189fcab3ad4ba65c5f6588e4c608cc475d3923d8793b6ce01cfe8d0199d3
                                                    • Opcode Fuzzy Hash: e13d8096b4c1a977f58bb4f53c01dab574ffaf12242d6dcf5f2b32f985659fb9
                                                    • Instruction Fuzzy Hash: EA333F31D107198EDB11EF68C894AADF7B1FF89300F51C79AE459A7211EB70AAC5CB81
                                                    Function 02DA9378 Relevance: .6, Instructions: 617COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c1fe922b880be3b7143a1206c9c4cd250d0c85297365789e0175c54a1681d993
                                                    • Instruction ID: 49e3338e163df25e4cf4f2d72b1891ea1429688062cc680a187b752a5ac2800e
                                                    • Opcode Fuzzy Hash: c1fe922b880be3b7143a1206c9c4cd250d0c85297365789e0175c54a1681d993
                                                    • Instruction Fuzzy Hash: 8C326075A002088FDB14DF68D9A4BAEBBB2FF88310F148569E90ADB395DB75DC41CB50
                                                    Function 02DA4A98 Relevance: .3, Instructions: 266COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e415f0936c26ef96f5d729fea96e29e24a1877c8a7d602a1148f4bb60bf312dd
                                                    • Instruction ID: 8a0c130238b1d8f37cb1688ae50d77005110a75cf8394a446ca7b67c72898c96
                                                    • Opcode Fuzzy Hash: e415f0936c26ef96f5d729fea96e29e24a1877c8a7d602a1148f4bb60bf312dd
                                                    • Instruction Fuzzy Hash: FDB13E70E00209CFDF14CFA9D895B9EBBF2AF88354F148529D419EB394EBB49845CB91
                                                    Function 02DA3E80 Relevance: .2, Instructions: 238COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2923fc2232e6ce6214f9484dc1a7a4195f1d5e27ab9b8ac3fee586398d9c7f4a
                                                    • Instruction ID: d0bcc94758ae711c37e2a4f7f837df0fd6353d4f854c36b4178138da06d7a98d
                                                    • Opcode Fuzzy Hash: 2923fc2232e6ce6214f9484dc1a7a4195f1d5e27ab9b8ac3fee586398d9c7f4a
                                                    • Instruction Fuzzy Hash: 2C914B70E10209DFDF14CFA9C995B9EBBF2AF88314F148129E415AB394EB749845CB91
                                                    Function 064CE278 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1396 64ce278-64ce27c 1397 64ce27e-64ce2be 1396->1397 1398 64ce245-64ce266 1396->1398 1399 64ce2c6-64ce2f4 GlobalMemoryStatusEx 1397->1399 1401 64ce2fd-64ce325 1399->1401 1402 64ce2f6-64ce2fc 1399->1402 1402->1401
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 064CE2E7
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2777936135.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_64c0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: dade346022df81f8581c59e1b79e20e5a3fd06c865777b9dd69697a45efdd89a
                                                    • Instruction ID: e01043799c13c66168a8beba271a3d57bb4bf4daa07b03412f6656cdb299a33b
                                                    • Opcode Fuzzy Hash: dade346022df81f8581c59e1b79e20e5a3fd06c865777b9dd69697a45efdd89a
                                                    • Instruction Fuzzy Hash: 3D2165B5C0061ACFDB20CFAAD844BDEBBF5EF48220F14816AD858A7740D7789940CFA1
                                                    Function 064CE280 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1407 64ce280-64ce2f4 GlobalMemoryStatusEx 1409 64ce2fd-64ce325 1407->1409 1410 64ce2f6-64ce2fc 1407->1410 1410->1409
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNELBASE ref: 064CE2E7
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2777936135.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_64c0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID:
                                                    • API String ID: 1890195054-0
                                                    • Opcode ID: 39dfbfad37a68420858fde9739a9d58e00147ebc1f8cf73659ac61704ac944a4
                                                    • Instruction ID: f560d237763832c8928b83dc4a9b489a5cdac88e22fb702a412bdbdc6953c6e6
                                                    • Opcode Fuzzy Hash: 39dfbfad37a68420858fde9739a9d58e00147ebc1f8cf73659ac61704ac944a4
                                                    • Instruction Fuzzy Hash: C311F6B1C0065ADBDB10DF9AD444BDEFBF4AF48220F15816AD418A7340D778A945CFA5
                                                    Function 02DA7908 Relevance: .6, Instructions: 553COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 2896 2da7908-2da791f 2897 2da7921-2da7924 2896->2897 2898 2da7951-2da7954 2897->2898 2899 2da7926-2da794c 2897->2899 2900 2da7981-2da7984 2898->2900 2901 2da7956-2da797c 2898->2901 2899->2898 2903 2da79b1-2da79b4 2900->2903 2904 2da7986-2da79ac 2900->2904 2901->2900 2905 2da79b6-2da79b8 2903->2905 2906 2da79c5-2da79c8 2903->2906 2904->2903 3110 2da79ba call 2da9203 2905->3110 3111 2da79ba call 2da9150 2905->3111 3112 2da79ba call 2da9160 2905->3112 2910 2da79ca-2da79f0 2906->2910 2911 2da79f5-2da79f8 2906->2911 2910->2911 2912 2da79fa-2da7a20 2911->2912 2913 2da7a25-2da7a28 2911->2913 2912->2913 2918 2da7a2a-2da7a50 2913->2918 2919 2da7a55-2da7a58 2913->2919 2914 2da79c0 2914->2906 2918->2919 2921 2da7a5a-2da7a80 2919->2921 2922 2da7a85-2da7a88 2919->2922 2921->2922 2926 2da7a8a-2da7ab0 2922->2926 2927 2da7ab5-2da7ab8 2922->2927 2926->2927 2930 2da7aba-2da7ad0 2927->2930 2931 2da7ad5-2da7ad8 2927->2931 2930->2931 2935 2da7ada-2da7b00 2931->2935 2936 2da7b05-2da7b08 2931->2936 2935->2936 2939 2da7b0a-2da7b30 2936->2939 2940 2da7b35-2da7b38 2936->2940 2939->2940 2945 2da7b3a-2da7b60 2940->2945 2946 2da7b65-2da7b68 2940->2946 2945->2946 2949 2da7b6a-2da7b90 2946->2949 2950 2da7b95-2da7b98 2946->2950 2949->2950 2955 2da7b9a-2da7bc0 2950->2955 2956 2da7bc5-2da7bc8 2950->2956 2955->2956 2959 2da7bca-2da7bf0 2956->2959 2960 2da7bf5-2da7bf8 2956->2960 2959->2960 2963 2da7bfa-2da7c20 2960->2963 2964 2da7c25-2da7c28 2960->2964 2963->2964 2968 2da7c2a-2da7c50 2964->2968 2969 2da7c55-2da7c58 2964->2969 2968->2969 2973 2da7c5a-2da7c80 2969->2973 2974 2da7c85-2da7c88 2969->2974 2973->2974 2978 2da7c8a-2da7c9e 2974->2978 2979 2da7ca3-2da7ca6 2974->2979 2978->2979 2983 2da7ca8-2da7cce 2979->2983 2984 2da7cd3-2da7cd6 2979->2984 2983->2984 2991 2da7cd8-2da7cfe 2984->2991 2992 2da7d03-2da7d06 2984->2992 2991->2992 2993 2da7d08-2da7d2e 2992->2993 2994 2da7d33-2da7d36 2992->2994 2993->2994 3001 2da7d38-2da7d5e 2994->3001 3002 2da7d63-2da7d66 2994->3002 3001->3002 3003 2da7d68-2da7d8e 3002->3003 3004 2da7d93-2da7d96 3002->3004 3003->3004 3010 2da7d98-2da7dbe 3004->3010 3011 2da7dc3-2da7dc6 3004->3011 3010->3011 3012 2da7dc8-2da7dee 3011->3012 3013 2da7df3-2da7df6 3011->3013 3012->3013 3020 2da7df8-2da7e1e 3013->3020 3021 2da7e23-2da7e26 3013->3021 3020->3021 3022 2da7e28-2da7e4e 3021->3022 3023 2da7e53-2da7e56 3021->3023 3022->3023 3030 2da7e58-2da7e7e 3023->3030 3031 2da7e83-2da7e86 3023->3031 3030->3031 3032 2da7e88-2da7eae 3031->3032 3033 2da7eb3-2da7eb6 3031->3033 3032->3033 3040 2da7eb8-2da7ede 3033->3040 3041 2da7ee3-2da7ee6 3033->3041 3040->3041 3042 2da7ee8-2da7f0e 3041->3042 3043 2da7f13-2da7f16 3041->3043 3042->3043 3050 2da7f18-2da7f3e 3043->3050 3051 2da7f43-2da7f46 3043->3051 3050->3051 3052 2da7f48-2da7f6e 3051->3052 3053 2da7f73-2da7f76 3051->3053 3052->3053 3060 2da7f78-2da7f9e 3053->3060 3061 2da7fa3-2da7fa6 3053->3061 3060->3061 3062 2da7fa8-2da7fce 3061->3062 3063 2da7fd3-2da7fd6 3061->3063 3062->3063 3070 2da7fd8-2da7ffe 3063->3070 3071 2da8003-2da8006 3063->3071 3070->3071 3072 2da8008-2da802e 3071->3072 3073 2da8033-2da8036 3071->3073 3072->3073 3080 2da8038-2da805e 3073->3080 3081 2da8063-2da8066 3073->3081 3080->3081 3082 2da8068-2da808e 3081->3082 3083 2da8093-2da8096 3081->3083 3082->3083 3090 2da8098-2da80be 3083->3090 3091 2da80c3-2da80c6 3083->3091 3090->3091 3092 2da80c8 3091->3092 3093 2da80d3-2da80d5 3091->3093 3103 2da80ce 3092->3103 3100 2da80dc-2da80df 3093->3100 3101 2da80d7 3093->3101 3100->2897 3104 2da80e5-2da80eb 3100->3104 3101->3100 3103->3093 3110->2914 3111->2914 3112->2914
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d38e7edb3055dde34518a6792d5d9569b830b34e23492c574f00e4b461440d29
                                                    • Instruction ID: a0d0427fb65ce9e77fe719face1c49201d323a3c8910da94c7dec84d038ec59b
                                                    • Opcode Fuzzy Hash: d38e7edb3055dde34518a6792d5d9569b830b34e23492c574f00e4b461440d29
                                                    • Instruction Fuzzy Hash: 2F122770B102099BDB15AB7CE8A4B6CB6A3FB89201F608939E405CB395DF75DC46CF91
                                                    Function 02DA7918 Relevance: .6, Instructions: 550COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 3113 2da7918-2da791f 3114 2da7921-2da7924 3113->3114 3115 2da7951-2da7954 3114->3115 3116 2da7926-2da794c 3114->3116 3117 2da7981-2da7984 3115->3117 3118 2da7956-2da797c 3115->3118 3116->3115 3120 2da79b1-2da79b4 3117->3120 3121 2da7986-2da79ac 3117->3121 3118->3117 3122 2da79b6-2da79b8 3120->3122 3123 2da79c5-2da79c8 3120->3123 3121->3120 3327 2da79ba call 2da9203 3122->3327 3328 2da79ba call 2da9150 3122->3328 3329 2da79ba call 2da9160 3122->3329 3127 2da79ca-2da79f0 3123->3127 3128 2da79f5-2da79f8 3123->3128 3127->3128 3129 2da79fa-2da7a20 3128->3129 3130 2da7a25-2da7a28 3128->3130 3129->3130 3135 2da7a2a-2da7a50 3130->3135 3136 2da7a55-2da7a58 3130->3136 3131 2da79c0 3131->3123 3135->3136 3138 2da7a5a-2da7a80 3136->3138 3139 2da7a85-2da7a88 3136->3139 3138->3139 3143 2da7a8a-2da7ab0 3139->3143 3144 2da7ab5-2da7ab8 3139->3144 3143->3144 3147 2da7aba-2da7ad0 3144->3147 3148 2da7ad5-2da7ad8 3144->3148 3147->3148 3152 2da7ada-2da7b00 3148->3152 3153 2da7b05-2da7b08 3148->3153 3152->3153 3156 2da7b0a-2da7b30 3153->3156 3157 2da7b35-2da7b38 3153->3157 3156->3157 3162 2da7b3a-2da7b60 3157->3162 3163 2da7b65-2da7b68 3157->3163 3162->3163 3166 2da7b6a-2da7b90 3163->3166 3167 2da7b95-2da7b98 3163->3167 3166->3167 3172 2da7b9a-2da7bc0 3167->3172 3173 2da7bc5-2da7bc8 3167->3173 3172->3173 3176 2da7bca-2da7bf0 3173->3176 3177 2da7bf5-2da7bf8 3173->3177 3176->3177 3180 2da7bfa-2da7c20 3177->3180 3181 2da7c25-2da7c28 3177->3181 3180->3181 3185 2da7c2a-2da7c50 3181->3185 3186 2da7c55-2da7c58 3181->3186 3185->3186 3190 2da7c5a-2da7c80 3186->3190 3191 2da7c85-2da7c88 3186->3191 3190->3191 3195 2da7c8a-2da7c9e 3191->3195 3196 2da7ca3-2da7ca6 3191->3196 3195->3196 3200 2da7ca8-2da7cce 3196->3200 3201 2da7cd3-2da7cd6 3196->3201 3200->3201 3208 2da7cd8-2da7cfe 3201->3208 3209 2da7d03-2da7d06 3201->3209 3208->3209 3210 2da7d08-2da7d2e 3209->3210 3211 2da7d33-2da7d36 3209->3211 3210->3211 3218 2da7d38-2da7d5e 3211->3218 3219 2da7d63-2da7d66 3211->3219 3218->3219 3220 2da7d68-2da7d8e 3219->3220 3221 2da7d93-2da7d96 3219->3221 3220->3221 3227 2da7d98-2da7dbe 3221->3227 3228 2da7dc3-2da7dc6 3221->3228 3227->3228 3229 2da7dc8-2da7dee 3228->3229 3230 2da7df3-2da7df6 3228->3230 3229->3230 3237 2da7df8-2da7e1e 3230->3237 3238 2da7e23-2da7e26 3230->3238 3237->3238 3239 2da7e28-2da7e4e 3238->3239 3240 2da7e53-2da7e56 3238->3240 3239->3240 3247 2da7e58-2da7e7e 3240->3247 3248 2da7e83-2da7e86 3240->3248 3247->3248 3249 2da7e88-2da7eae 3248->3249 3250 2da7eb3-2da7eb6 3248->3250 3249->3250 3257 2da7eb8-2da7ede 3250->3257 3258 2da7ee3-2da7ee6 3250->3258 3257->3258 3259 2da7ee8-2da7f0e 3258->3259 3260 2da7f13-2da7f16 3258->3260 3259->3260 3267 2da7f18-2da7f3e 3260->3267 3268 2da7f43-2da7f46 3260->3268 3267->3268 3269 2da7f48-2da7f6e 3268->3269 3270 2da7f73-2da7f76 3268->3270 3269->3270 3277 2da7f78-2da7f9e 3270->3277 3278 2da7fa3-2da7fa6 3270->3278 3277->3278 3279 2da7fa8-2da7fce 3278->3279 3280 2da7fd3-2da7fd6 3278->3280 3279->3280 3287 2da7fd8-2da7ffe 3280->3287 3288 2da8003-2da8006 3280->3288 3287->3288 3289 2da8008-2da802e 3288->3289 3290 2da8033-2da8036 3288->3290 3289->3290 3297 2da8038-2da805e 3290->3297 3298 2da8063-2da8066 3290->3298 3297->3298 3299 2da8068-2da808e 3298->3299 3300 2da8093-2da8096 3298->3300 3299->3300 3307 2da8098-2da80be 3300->3307 3308 2da80c3-2da80c6 3300->3308 3307->3308 3309 2da80c8 3308->3309 3310 2da80d3-2da80d5 3308->3310 3320 2da80ce 3309->3320 3317 2da80dc-2da80df 3310->3317 3318 2da80d7 3310->3318 3317->3114 3321 2da80e5-2da80eb 3317->3321 3318->3317 3320->3310 3327->3131 3328->3131 3329->3131
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a98bdb975751ca742f0366819ff590ce7589bbe814ecac00665f87d91e35cf62
                                                    • Instruction ID: 24c2a92f27f7751ea6ea570d794eca31697625fd10a0e48ace4f7dc84369560e
                                                    • Opcode Fuzzy Hash: a98bdb975751ca742f0366819ff590ce7589bbe814ecac00665f87d91e35cf62
                                                    • Instruction Fuzzy Hash: 5A122830B102099BDB15AB7CE8A4A6CB6A3FBC9641F608939E405CB395DF71DC46CF91
                                                    Function 02DA4A8E Relevance: .3, Instructions: 259COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 834bd6296910b2401c451c1d7be9cec03dedeea5d2c2cb4bd183882be4ff3dcb
                                                    • Instruction ID: 9f31d3f752839c3f81cb30e27586b0ccd3b954ae12dc1d738be0ee2764fb62f7
                                                    • Opcode Fuzzy Hash: 834bd6296910b2401c451c1d7be9cec03dedeea5d2c2cb4bd183882be4ff3dcb
                                                    • Instruction Fuzzy Hash: CBA13B70E00209CFDF10CFA9D895B9EBBF1AF88354F148529D819EB394EBB59845CB91
                                                    Function 02DA9364 Relevance: .2, Instructions: 240COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 02e6e62bafab6faf3fc23e1bf5476c565b308b54638202b289031591d3ac2a8d
                                                    • Instruction ID: 51a0d66a4830ee782228e01a543290516f526487fd5b04c6d34132c1ccae3f5c
                                                    • Opcode Fuzzy Hash: 02e6e62bafab6faf3fc23e1bf5476c565b308b54638202b289031591d3ac2a8d
                                                    • Instruction Fuzzy Hash: 6E912C75A002489FDB14DFA8D9A4BADBBB2EF88310F148565E806E73A4DB75DC42CB50
                                                    Function 02DA3E74 Relevance: .2, Instructions: 234COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f3c01643351c47623a251393a2710e19cac9a800a0615a8154373247136c7e32
                                                    • Instruction ID: 89c791e0ecf0ad7460713abaaeb4aeffd78e2e9318e11d75f84b252154857d64
                                                    • Opcode Fuzzy Hash: f3c01643351c47623a251393a2710e19cac9a800a0615a8154373247136c7e32
                                                    • Instruction Fuzzy Hash: 00915A70E10209DFDF50CFA8C995B9EBBF2AF48314F248129E415AB394EBB49845CF91
                                                    Function 02DA4810 Relevance: .2, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0159231d6bfef2991ec27f007595012b509a3194f06c6b2cbd91f463199cf820
                                                    • Instruction ID: b6f81f2361204f378851eda8193d299f5a5f54d651767cc3c5bc3d262c5e1f74
                                                    • Opcode Fuzzy Hash: 0159231d6bfef2991ec27f007595012b509a3194f06c6b2cbd91f463199cf820
                                                    • Instruction Fuzzy Hash: D47159B0E00249CFDB14DFA9D895B9EBBF2BF88314F148129E415AB354EBB49841CB95
                                                    Function 02DA4804 Relevance: .2, Instructions: 179COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 60df8bd9d713f810e0f43a43e1d914d64b45606a33b7bb1cc948fbc3a4f676b2
                                                    • Instruction ID: 3ac359e0877d7cf908a0ece607c7c3b933a570ee96b68d6725e0c5f5160d528a
                                                    • Opcode Fuzzy Hash: 60df8bd9d713f810e0f43a43e1d914d64b45606a33b7bb1cc948fbc3a4f676b2
                                                    • Instruction Fuzzy Hash: BE7149B0E00249CFDB10CFA9D995B9EBBF2BF88314F148129E415AB354EBB49841CF95
                                                    Function 02DA6ED8 Relevance: .1, Instructions: 144COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 226f63cd230326bdc322bcd59aa3f8ab35ba2ddcdbd61be980563a9db853c479
                                                    • Instruction ID: 0253f1afd7940457d466b52c214f584022a139c224b83bff7b1033126fca2cfb
                                                    • Opcode Fuzzy Hash: 226f63cd230326bdc322bcd59aa3f8ab35ba2ddcdbd61be980563a9db853c479
                                                    • Instruction Fuzzy Hash: 2B418331A002199FDB15DF68C461BAEB7B6EF89300F24856AE415EB390DB75DC46CB90
                                                    Function 02DA6CDE Relevance: .1, Instructions: 134COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e9f3f7631c5dfe7d77a178d8e89443f40c63a23d2146a4b6ca527c2bb2b94636
                                                    • Instruction ID: 3ad2644af00bf8169b57c7590f21a054ce96bde2f3a82f698cc3aa3e1a3b2d1d
                                                    • Opcode Fuzzy Hash: e9f3f7631c5dfe7d77a178d8e89443f40c63a23d2146a4b6ca527c2bb2b94636
                                                    • Instruction Fuzzy Hash: 0F5102B1E00218CFDF18CFAAC894B9DBBB5BF48314F188119E815BB391D7B49944CB95
                                                    Function 02DA6CE8 Relevance: .1, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 511032d278a2548b84e68fdc9b7f3e7f93fc8f31d639182f1941a9e07ef5d2e8
                                                    • Instruction ID: 2387ed45d625a298fa710ce023bbaccdd2354c735832916cf36254dc8eb283c9
                                                    • Opcode Fuzzy Hash: 511032d278a2548b84e68fdc9b7f3e7f93fc8f31d639182f1941a9e07ef5d2e8
                                                    • Instruction Fuzzy Hash: 44510271E00218CFDF18CFAAC894B9EBBB5BF48314F188119E815BB390D7B4A944CB95
                                                    Function 02DA1128 Relevance: .1, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 29d30eb3415b32060dee9f744b24b3b4a055935df801c4a99645999817bbee26
                                                    • Instruction ID: e29fe6aa383ea30086472225280f1ed62207643e5d8bbdbec71db24a80407991
                                                    • Opcode Fuzzy Hash: 29d30eb3415b32060dee9f744b24b3b4a055935df801c4a99645999817bbee26
                                                    • Instruction Fuzzy Hash: 78510C7960124EEFD70AFB78F8A09A43BB1BBA5704700497AE1008B76EEB606D55CB41
                                                    Function 02DA1138 Relevance: .1, Instructions: 112COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5b55c754e19521f0f4d8a0d9e3b184165824b91521f9d8df47b17d0b7565d512
                                                    • Instruction ID: abaf93f4fb3da70e9d4284e89bb045d5e4a5bc9d3aec1bd643d831d9507fe70e
                                                    • Opcode Fuzzy Hash: 5b55c754e19521f0f4d8a0d9e3b184165824b91521f9d8df47b17d0b7565d512
                                                    • Instruction Fuzzy Hash: DF51DF7954124EEFD70AFB7DF8A09A43BB1BBA5704300497AE1008B76EEB706D55CB41
                                                    Function 02DAF2ED Relevance: .1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 520d4864b5c47b7bd2961ffc7c9f41ce439ceadb4f607e46e6a8aacb3b27982e
                                                    • Instruction ID: 83f249cbfe42f8765ff518b546f0076fa42567ffd57cce0a0b1ec6accd1012d1
                                                    • Opcode Fuzzy Hash: 520d4864b5c47b7bd2961ffc7c9f41ce439ceadb4f607e46e6a8aacb3b27982e
                                                    • Instruction Fuzzy Hash: C7310230B002058FEB15AB78D564BAE77B3AF89640F2448B9C402DB781DF7ACD46CB91
                                                    Function 02DAF300 Relevance: .1, Instructions: 105COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b7f93477feb153b6aab3d0cce339f8ba0910be7e2d0f1fa15e8fa782deb09c14
                                                    • Instruction ID: 245ae3dbfd3849eefa2e605b633377eb78576b51e331079baa2cc2d1ec044a40
                                                    • Opcode Fuzzy Hash: b7f93477feb153b6aab3d0cce339f8ba0910be7e2d0f1fa15e8fa782deb09c14
                                                    • Instruction Fuzzy Hash: 8131C130B002058FEB15AB78D564B6E77A3AFC9640F2488B8C406DB395EF76CD45CB95
                                                    Function 02DAF1B0 Relevance: .1, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2e913bdba9cf953b61586e9019fdad67910804dc6d6acd01ddf9b676c8f0285
                                                    • Instruction ID: 81935092874613ee68fbc721b0d4aed911c1c8b688ea84ce4b159e79868346db
                                                    • Opcode Fuzzy Hash: b2e913bdba9cf953b61586e9019fdad67910804dc6d6acd01ddf9b676c8f0285
                                                    • Instruction Fuzzy Hash: 8D315235E1060A9FDB14DFA4D865A9EB7B2FF89300F14C529E806E7750DB71AC42CB90
                                                    Function 02DA6F78 Relevance: .1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1778a8c77b63f48076194eb63540dde3420165253d8e894ca7e597de62073c7a
                                                    • Instruction ID: 12ae508f4eed0d50a22aa5e591b1b78da68a78a3ee45328ae7dff73da506f22a
                                                    • Opcode Fuzzy Hash: 1778a8c77b63f48076194eb63540dde3420165253d8e894ca7e597de62073c7a
                                                    • Instruction Fuzzy Hash: 73313A30E10209DBEB14CF64D461B9EB7B6EB89210F208526E411EB380EB71ED46CB94
                                                    Function 02DA26DC Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 39223f7a10c0a403de48471038e0d006654c5ba44e0b85033b495a3b3c2ba738
                                                    • Instruction ID: 88bfb4f6394422d7c930a58850ae5ba0f3f211ce974d3299677ea8524df18e1c
                                                    • Opcode Fuzzy Hash: 39223f7a10c0a403de48471038e0d006654c5ba44e0b85033b495a3b3c2ba738
                                                    • Instruction Fuzzy Hash: BD41FFB0D00349DFEB10CFA9C898ADEBBF5BF48314F248029E819AB350DB759945CB91
                                                    Function 02DAF1C0 Relevance: .1, Instructions: 91COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ad7b93492e68076b585d1fe94674541be8e6dae8f57fc0763a904636985d8f42
                                                    • Instruction ID: 6e7f01bdb69d539b48aaa9f9d7371d215e44468dba7751fa3c7b1af9febed251
                                                    • Opcode Fuzzy Hash: ad7b93492e68076b585d1fe94674541be8e6dae8f57fc0763a904636985d8f42
                                                    • Instruction Fuzzy Hash: 67315035E106099FCB14DFA4D865A9EB7B2FF89300F14C529E806E7750DB71AC42CB90
                                                    Function 02DA5099 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 98d373438ddd862a4897b66adcefbb50649199029c01b8570ea0eb6256173926
                                                    • Instruction ID: 56d529ee0881b90894cb0705ca58a5f2ce4fbdc557569494bc205241ab8e01e2
                                                    • Opcode Fuzzy Hash: 98d373438ddd862a4897b66adcefbb50649199029c01b8570ea0eb6256173926
                                                    • Instruction Fuzzy Hash: F3315C34A04209CFDB14EB74D575AAE77B2AF49344F610478D405AB3A5EB36DC41CB91
                                                    Function 02DA26E8 Relevance: .1, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d6a7a8d82dd517d8749e145d483d2a0cb3a2e9621a0cdec7782cf1777e5df310
                                                    • Instruction ID: f984d128629da5d034f200fcaa587228853265e8365ee5fe9bdf58571b47eac2
                                                    • Opcode Fuzzy Hash: d6a7a8d82dd517d8749e145d483d2a0cb3a2e9621a0cdec7782cf1777e5df310
                                                    • Instruction Fuzzy Hash: 8741EFB0D00348DFEB10DFAAC894A9EBBF5FF48314F148429E819AB350DB75A945CB91
                                                    Function 02DA50A8 Relevance: .1, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 012c11779eec11f3868acacec2222cdc3c87d03cfa06f4c24931b6c1bd6d2be4
                                                    • Instruction ID: 574652480313b797ccfbbe92370a3432acf3572aa4533db0f4d6c7905b12d205
                                                    • Opcode Fuzzy Hash: 012c11779eec11f3868acacec2222cdc3c87d03cfa06f4c24931b6c1bd6d2be4
                                                    • Instruction Fuzzy Hash: 5D313A34A00219CBDB24EB74D575AAE73B2AB89744F610478D406AB3A4EB36DC41CBA5
                                                    Function 02DA9250 Relevance: .1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 7e8f4c2c496430eaad79e36fba09df108d5f0c3c8c630cb819a1e75a8eb23836
                                                    • Instruction ID: 45398831b65260417588968546a29d96fc636b3ed9ef7b1a19e38f0846e89928
                                                    • Opcode Fuzzy Hash: 7e8f4c2c496430eaad79e36fba09df108d5f0c3c8c630cb819a1e75a8eb23836
                                                    • Instruction Fuzzy Hash: A5314975A1020A9BDB05CFA5D8A0BDEB7B2FF89304F54C529E805EB350EB719846CB90
                                                    Function 02DA9260 Relevance: .1, Instructions: 78COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6d566951ded8f25c287801a9fb9730492e57e79939bf76867e55efe950c30074
                                                    • Instruction ID: 41854b1044bd2c6007508fd0ba1b9533c242484dc592b527beb2e752cf8ae109
                                                    • Opcode Fuzzy Hash: 6d566951ded8f25c287801a9fb9730492e57e79939bf76867e55efe950c30074
                                                    • Instruction Fuzzy Hash: 35213C35A1020A9BDB05CFA5D8A0BDEB7B2FF89300F54C529E805EB354EB719C46CB90
                                                    Function 02DA16A0 Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61ee3ef59768e62647982dea317e78a9f9eb637cd04b3d9e0ff1b75c2979299d
                                                    • Instruction ID: 356cc86865f2bccaccb8eeaf788c4787e1582c31593288b62c6dadb8ee612efc
                                                    • Opcode Fuzzy Hash: 61ee3ef59768e62647982dea317e78a9f9eb637cd04b3d9e0ff1b75c2979299d
                                                    • Instruction Fuzzy Hash: A321A13861020A8FEF12EB78E8A8B993365FB95704F145A32E00AC7359EB24DC55CBC1
                                                    Function 02DA9150 Relevance: .1, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f25200bdcc5a59121a93a20a28422696d7b46a40bc25a969dd3c3131c2797088
                                                    • Instruction ID: e3a07b341d564a2d7dae6593f19758091b8cd558572717986f10c0c72a72e67b
                                                    • Opcode Fuzzy Hash: f25200bdcc5a59121a93a20a28422696d7b46a40bc25a969dd3c3131c2797088
                                                    • Instruction Fuzzy Hash: 5E216235E0020ACBDB18CFA4D864ADEB7B2EF85310F64852AE815FB340DB719C46CB50
                                                    Function 02D1D01C Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767448195.0000000002D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D1D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2d1d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 220427784eefe907f6234d47dac2917c16f028930fc3c83f9c4c534df538198e
                                                    • Instruction ID: 56186f4f5360fd6575e32b1d84be09fa54a1bdce0820f8aa19001a2a74fddb19
                                                    • Opcode Fuzzy Hash: 220427784eefe907f6234d47dac2917c16f028930fc3c83f9c4c534df538198e
                                                    • Instruction Fuzzy Hash: 5121F275604344EFDB14DF24E980B26BB66FB84314F34C5ADE84A4B786C33AD847CA62
                                                    Function 02DA4F88 Relevance: .1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 583dcb176d0746c94f85d02fb1fbf9e8482016a860589e7524f252d329cf9dcd
                                                    • Instruction ID: 1df5606ae83a9b164a23cbca56f0aecf31522dd6582e5f87c411e88a8f7ed534
                                                    • Opcode Fuzzy Hash: 583dcb176d0746c94f85d02fb1fbf9e8482016a860589e7524f252d329cf9dcd
                                                    • Instruction Fuzzy Hash: 2E214B34A002098FDB54DB74D569BADB7F1AF98301F2148A8E406EB3A4DB719C04CB94
                                                    Function 02DA1380 Relevance: .1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9063a6cdbf34911e28e81953dac2c814e7fc3a7192d54390be9e6b26584732ec
                                                    • Instruction ID: d0feaad7ba860070b9472fd047d546deeb60bd4fd85b424306590228913d8306
                                                    • Opcode Fuzzy Hash: 9063a6cdbf34911e28e81953dac2c814e7fc3a7192d54390be9e6b26584732ec
                                                    • Instruction Fuzzy Hash: 8C21AF74A012099BEF396A78E4B8BAD3B61E746315F10082AF44ACB7C0DB69CC81C752
                                                    Function 02DA9160 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 34963d289b6a5e6575361ca18b4864d3d93b6466738d99ec5335da8eb27f39ef
                                                    • Instruction ID: 204af56fdbff102cabeb9ad10b7e9df2884f5b2f19048aecde788cb82b4e1c02
                                                    • Opcode Fuzzy Hash: 34963d289b6a5e6575361ca18b4864d3d93b6466738d99ec5335da8eb27f39ef
                                                    • Instruction Fuzzy Hash: B2212F35E0020A9BDB18CFA5D864ADEB7B2AF89314F60852AE815FB340DB719D46CB51
                                                    Function 02DA1888 Relevance: .1, Instructions: 70COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d29d4496aca4d93928b589dacf376867177638feaed7d4c68202fc6fb2a0bb35
                                                    • Instruction ID: f52ae08f6bb4fa5ba454a54606802e7d12b2507c3810f9c597b1bdc47199d151
                                                    • Opcode Fuzzy Hash: d29d4496aca4d93928b589dacf376867177638feaed7d4c68202fc6fb2a0bb35
                                                    • Instruction Fuzzy Hash: 63212A34B042198FDB54EB78C525BAE77F6AB89645F200478D40AEB3A4DB32CD40CBA1
                                                    Function 02DA16B0 Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c85f53b35e464d9dd7148e7b0cc55ea51ab187dbca034234d38bc11f60b3f2a4
                                                    • Instruction ID: 646d743fada5196ed2dce5882ffe24bf6e716af375f69a21f2fab31edaf42974
                                                    • Opcode Fuzzy Hash: c85f53b35e464d9dd7148e7b0cc55ea51ab187dbca034234d38bc11f60b3f2a4
                                                    • Instruction Fuzzy Hash: 9F21633861020A8FEF16FB78F8A4B993365FB85604F145A36E00AC7359EB25DC55CB91
                                                    Function 02DA187A Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d0aa2b348bfe3ccf45c3aec668d747654f30ccfe8178aafe122be8f188bb80b0
                                                    • Instruction ID: c9f15850d025b1a898ec04f8ea7bcf6d230493cedd44ea8f9563e085ab1db8ee
                                                    • Opcode Fuzzy Hash: d0aa2b348bfe3ccf45c3aec668d747654f30ccfe8178aafe122be8f188bb80b0
                                                    • Instruction Fuzzy Hash: CA213634A04205CBDB54EB78C525BAE77F2BF89205F210868D04AEB3A4DB36CC40CBA1
                                                    Function 02DA4F98 Relevance: .1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4eccac737e53b5cca546b8fe9d1997c4b381b0bed4c3bafb864206b46955bc68
                                                    • Instruction ID: 67d6a9e73fe994b250565ff7bb7c3dee9d3d389714ee439e0ce4d824e682b777
                                                    • Opcode Fuzzy Hash: 4eccac737e53b5cca546b8fe9d1997c4b381b0bed4c3bafb864206b46955bc68
                                                    • Instruction Fuzzy Hash: 8F211934B002098FDB54EB74D569BAE77F1EF88701F210868E406EB3A4EB729D04CB95
                                                    Function 02D1D005 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767448195.0000000002D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D1D000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2d1d000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5da6694d4e5483ad43cd1609eb13bdc6e187ee8b33feb1933b89c06b1e1cbd0c
                                                    • Instruction ID: 2b52f9ed096db3da411e91942be12bba8e183ba67f5e67c2596ef009109c28e3
                                                    • Opcode Fuzzy Hash: 5da6694d4e5483ad43cd1609eb13bdc6e187ee8b33feb1933b89c06b1e1cbd0c
                                                    • Instruction Fuzzy Hash: 6421A1755093C0DFCB02CF24D990715BF72EB46214F28C5EAD8498F6A7C33A984ACB62
                                                    Function 02DA17C2 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 663d642d97fa01e16e7f0a12ffe3f0b4fb04eaf073b3c3b26712dc572dcea408
                                                    • Instruction ID: 0e05e5ca04c247212b6f0fbee8f869162eb357b1f3409df3dfd0dac276c56b63
                                                    • Opcode Fuzzy Hash: 663d642d97fa01e16e7f0a12ffe3f0b4fb04eaf073b3c3b26712dc572dcea408
                                                    • Instruction Fuzzy Hash: 5911E576B00256ABCF14AF799859B9E7BF6FB88660F104835E949D3344EB35CC01C790
                                                    Function 02DA0848 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6ac4d82094bc86921a7be07ea4c2984a15f7cb9ba78f6fd8c5f2b7c023e355aa
                                                    • Instruction ID: 722caa77b5236e68eb35fb03c15b614aa8752f5596b5febaa1b6a07228105c85
                                                    • Opcode Fuzzy Hash: 6ac4d82094bc86921a7be07ea4c2984a15f7cb9ba78f6fd8c5f2b7c023e355aa
                                                    • Instruction Fuzzy Hash: A511A030B012088FEF24BBB9D464B6A3261FB85616F248A39D006CF385DB21DD81CBD5
                                                    Function 02DA0838 Relevance: .1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 786499c2a47fef591d3270c4757e8b93daf6e1be145df54ff872a748e8c26dd4
                                                    • Instruction ID: d712b2b598a841ca1ae2226578f36a839cac906a1e6002a696aa11a2138a2a46
                                                    • Opcode Fuzzy Hash: 786499c2a47fef591d3270c4757e8b93daf6e1be145df54ff872a748e8c26dd4
                                                    • Instruction Fuzzy Hash: A711E531B002098BFF256BB9D430BAA3261FB85316F258939D402CB385DB65CD81CBC9
                                                    Function 02DA80F1 Relevance: .1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b04df395b62bafc4b3b215384db0b550325daa830619eaf1ebabaad9f62c6c45
                                                    • Instruction ID: 8e6464065ffcf749aa912a4fd8d60f25258a60c91c37843e232bb89141c2fdbb
                                                    • Opcode Fuzzy Hash: b04df395b62bafc4b3b215384db0b550325daa830619eaf1ebabaad9f62c6c45
                                                    • Instruction Fuzzy Hash: 59113A34A0020DDBDB01EBA8F9A1A9D77A1FB84200F2086BAD405DB254EB319E458B91
                                                    Function 02DA148E Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 329d8de1513ba85afaa34173d7b090bd5b29c4a08becb7826cd7f8df3e7233cc
                                                    • Instruction ID: 228f45959bed203e7d73150b862df82f9ae8ec9fe8dd925e315d03bdf0c7eb25
                                                    • Opcode Fuzzy Hash: 329d8de1513ba85afaa34173d7b090bd5b29c4a08becb7826cd7f8df3e7233cc
                                                    • Instruction Fuzzy Hash: 02116131A002159FCB21EFB89460AEEBBF6EB48211F14047AD409E7341E736DD82CBE1
                                                    Function 02DA6B9F Relevance: .1, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d135e0412ab06082c9edc1de89d891ee5e8dd3d561344337c49eaac87a734652
                                                    • Instruction ID: 91f4f6f07c0c3f03238c56d43a7e40819319bca154e0902ee0e9854f41888b4f
                                                    • Opcode Fuzzy Hash: d135e0412ab06082c9edc1de89d891ee5e8dd3d561344337c49eaac87a734652
                                                    • Instruction Fuzzy Hash: 7911D6717046448FC7156BB8D4647AD7BB2EFC6311F1984ABC089CB791EF798C428BA1
                                                    Function 02DA1498 Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 679fec341e5456ad97647354cc4f1dad7c7cf447bd03885ac7853d3d5854789f
                                                    • Instruction ID: cd141579b1faa9283ccfa40397b28175f14d6af29699a3dbbaf35a8617bb4998
                                                    • Opcode Fuzzy Hash: 679fec341e5456ad97647354cc4f1dad7c7cf447bd03885ac7853d3d5854789f
                                                    • Instruction Fuzzy Hash: 31014031A012159FCF21EFB89460AAE7BF6EB48255F14047AD80AE7341E736DD81CBE5
                                                    Function 02DA9898 Relevance: .0, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 62cdf9f011d18300a068ed26d36c8541bb594ecb151be53060ba6a65b45d8f04
                                                    • Instruction ID: 188a83e94ca2960cece17f6c4a010599e41564a32e0d6802120cb9d94417dbe3
                                                    • Opcode Fuzzy Hash: 62cdf9f011d18300a068ed26d36c8541bb594ecb151be53060ba6a65b45d8f04
                                                    • Instruction Fuzzy Hash: C4015231A002088BDB14EFA9E994BDAB766FFC9310F548174D8085B396EB74AD05CBA1
                                                    Function 02DA1524 Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 95876bb74e75174bc68859dfc9a781c8c8cd5f403fd0fd7fda8b5d138ce060b2
                                                    • Instruction ID: 91555abfa39cb85eb608c2af58d16a9912d704f38b4a50844318b2f1cf757f61
                                                    • Opcode Fuzzy Hash: 95876bb74e75174bc68859dfc9a781c8c8cd5f403fd0fd7fda8b5d138ce060b2
                                                    • Instruction Fuzzy Hash: 8EF0F632A041508FDB229BE894A0AEC7B72FA85211F180097C44ADB395D321DC42CB11
                                                    Function 02DA7090 Relevance: .0, Instructions: 34COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f52a06c846094fab02e022f36217cde1d103187f6150c99261f2b4677af441bd
                                                    • Instruction ID: 25f431c03816b22bcfef4c76e4ca9491ea0dc11bafb84c5de697db361ba0cc08
                                                    • Opcode Fuzzy Hash: f52a06c846094fab02e022f36217cde1d103187f6150c99261f2b4677af441bd
                                                    • Instruction Fuzzy Hash: 17F01439B00108CFDB04DB64D5A8AAC7BB2EF88715F2040A8E5068B3A0DF31AD02CB40
                                                    Function 02DA8100 Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 0000000E.00000002.2767966786.0000000002DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DA0000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_14_2_2da0000_DeQadQO.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c4786d2011328ffcfcea40b1af94e9196f3c145eaa936f9e57b5225dd368a1e9
                                                    • Instruction ID: 9e5ca02db6e9a7876509df110c0c420134aaa2b30baed9398f93263ae5654b35
                                                    • Opcode Fuzzy Hash: c4786d2011328ffcfcea40b1af94e9196f3c145eaa936f9e57b5225dd368a1e9
                                                    • Instruction Fuzzy Hash: 43F0CD3491120DEBDB41FBB8F9A1ADD77B1EB84600F6086B9C4059B254EB316E149B91