Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hCkkM0lH0P.exe

Overview

General Information

Sample name:hCkkM0lH0P.exe
renamed because original name is a hash value
Original sample name:aa7e0932069694a1e9e98868f0128d3de3bcee0de7591f12cfc491fa91fc0dd6.exe
Analysis ID:1587623
MD5:0fbd42eaa6018baee8d8d62c2523763c
SHA1:2721894c14665ebf180e94f42b5c352ac62ea7e0
SHA256:aa7e0932069694a1e9e98868f0128d3de3bcee0de7591f12cfc491fa91fc0dd6
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • hCkkM0lH0P.exe (PID: 6468 cmdline: "C:\Users\user\Desktop\hCkkM0lH0P.exe" MD5: 0FBD42EAA6018BAEE8D8D62C2523763C)
    • powershell.exe (PID: 3464 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7360 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • hCkkM0lH0P.exe (PID: 4884 cmdline: "C:\Users\user\Desktop\hCkkM0lH0P.exe" MD5: 0FBD42EAA6018BAEE8D8D62C2523763C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "roocckkbtwo@apexrnun.com", "Password": "TsHZsTv}Jnj5E5Bn"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.2617872188.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000004.00000002.2617872188.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.hCkkM0lH0P.exe.3d309f0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.hCkkM0lH0P.exe.3d309f0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.hCkkM0lH0P.exe.3d309f0.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x32361:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x323d3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3245d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x324ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x32559:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x325cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x32661:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x326f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.hCkkM0lH0P.exe.3d6c010.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.hCkkM0lH0P.exe.3d6c010.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hCkkM0lH0P.exe", ParentImage: C:\Users\user\Desktop\hCkkM0lH0P.exe, ParentProcessId: 6468, ParentProcessName: hCkkM0lH0P.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe", ProcessId: 3464, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hCkkM0lH0P.exe", ParentImage: C:\Users\user\Desktop\hCkkM0lH0P.exe, ParentProcessId: 6468, ParentProcessName: hCkkM0lH0P.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe", ProcessId: 3464, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\hCkkM0lH0P.exe", ParentImage: C:\Users\user\Desktop\hCkkM0lH0P.exe, ParentProcessId: 6468, ParentProcessName: hCkkM0lH0P.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe", ProcessId: 3464, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: hCkkM0lH0P.exeAvira: detected
                    Found malware configuration
                    Source: 0.2.hCkkM0lH0P.exe.3d309f0.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "roocckkbtwo@apexrnun.com", "Password": "TsHZsTv}Jnj5E5Bn"}
                    Multi AV Scanner detection for submitted file
                    Source: hCkkM0lH0P.exeVirustotal: Detection: 70%Perma Link
                    Source: hCkkM0lH0P.exeReversingLabs: Detection: 91%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for sample
                    Source: hCkkM0lH0P.exeJoe Sandbox ML: detected
                    Source: hCkkM0lH0P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: hCkkM0lH0P.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: flAB.pdbSHA256 source: hCkkM0lH0P.exe
                    Source: Binary string: flAB.pdb source: hCkkM0lH0P.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.hCkkM0lH0P.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d6c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d309f0.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: mail.apexrnun.com
                    Source: hCkkM0lH0P.exe, 00000004.00000002.2617872188.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: hCkkM0lH0P.exe, 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, hCkkM0lH0P.exe, 00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hCkkM0lH0P.exe, 00000004.00000002.2617872188.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: hCkkM0lH0P.exe, 00000000.00000002.1378033692.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, hCkkM0lH0P.exe, 00000004.00000002.2617872188.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: hCkkM0lH0P.exeString found in binary or memory: http://tempuri.org/DataSet1.xsdQdelete
                    Source: hCkkM0lH0P.exe, 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, hCkkM0lH0P.exe, 00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.hCkkM0lH0P.exe.3d309f0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hCkkM0lH0P.exe.3d6c010.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.hCkkM0lH0P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hCkkM0lH0P.exe.3d6c010.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.hCkkM0lH0P.exe.3d309f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 0_2_02B0D5BC0_2_02B0D5BC
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 0_2_08DEF8F00_2_08DEF8F0
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 0_2_08DEF4B80_2_08DEF4B8
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_01194AC04_2_01194AC0
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_0119EDA04_2_0119EDA0
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_0119ADD34_2_0119ADD3
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_01193EA84_2_01193EA8
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_011941F04_2_011941F0
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_0688C2204_2_0688C220
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_0688A9D44_2_0688A9D4
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068A65F84_2_068A65F8
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068AB2A74_2_068AB2A7
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068A30884_2_068A3088
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068AC1884_2_068AC188
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068A51C04_2_068A51C0
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068A7D884_2_068A7D88
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068A76A84_2_068A76A8
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068AE3A84_2_068AE3A8
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068A00404_2_068A0040
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068A58E34_2_068A58E3
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_068A00334_2_068A0033
                    Source: hCkkM0lH0P.exe, 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2551fb91-c18e-4cfc-9a10-be38a5933551.exe4 vs hCkkM0lH0P.exe
                    Source: hCkkM0lH0P.exe, 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs hCkkM0lH0P.exe
                    Source: hCkkM0lH0P.exe, 00000000.00000000.1364346545.0000000000962000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameflAB.exe8 vs hCkkM0lH0P.exe
                    Source: hCkkM0lH0P.exe, 00000000.00000002.1375574401.0000000000E4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs hCkkM0lH0P.exe
                    Source: hCkkM0lH0P.exe, 00000000.00000002.1400319595.00000000076E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs hCkkM0lH0P.exe
                    Source: hCkkM0lH0P.exe, 00000000.00000002.1378033692.0000000002D44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename2551fb91-c18e-4cfc-9a10-be38a5933551.exe4 vs hCkkM0lH0P.exe
                    Source: hCkkM0lH0P.exe, 00000004.00000002.2616098147.0000000000B99000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs hCkkM0lH0P.exe
                    Source: hCkkM0lH0P.exe, 00000004.00000002.2615899257.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename2551fb91-c18e-4cfc-9a10-be38a5933551.exe4 vs hCkkM0lH0P.exe
                    Source: hCkkM0lH0P.exeBinary or memory string: OriginalFilenameflAB.exe8 vs hCkkM0lH0P.exe
                    Source: hCkkM0lH0P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.hCkkM0lH0P.exe.3d309f0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hCkkM0lH0P.exe.3d6c010.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.hCkkM0lH0P.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hCkkM0lH0P.exe.3d6c010.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.hCkkM0lH0P.exe.3d309f0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: hCkkM0lH0P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@2/1
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hCkkM0lH0P.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oytjxpjm.vws.ps1Jump to behavior
                    Source: hCkkM0lH0P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: hCkkM0lH0P.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: hCkkM0lH0P.exeVirustotal: Detection: 70%
                    Source: hCkkM0lH0P.exeReversingLabs: Detection: 91%
                    Source: hCkkM0lH0P.exeString found in binary or memory: -Add Fertilizer Details
                    Source: hCkkM0lH0P.exeString found in binary or memory: /Add Transaction Details!Transaction Name!Transaction Type/Transaction Description
                    Source: unknownProcess created: C:\Users\user\Desktop\hCkkM0lH0P.exe "C:\Users\user\Desktop\hCkkM0lH0P.exe"
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe"
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess created: C:\Users\user\Desktop\hCkkM0lH0P.exe "C:\Users\user\Desktop\hCkkM0lH0P.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess created: C:\Users\user\Desktop\hCkkM0lH0P.exe "C:\Users\user\Desktop\hCkkM0lH0P.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: hCkkM0lH0P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: hCkkM0lH0P.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: hCkkM0lH0P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: flAB.pdbSHA256 source: hCkkM0lH0P.exe
                    Source: Binary string: flAB.pdb source: hCkkM0lH0P.exe
                    Source: hCkkM0lH0P.exeStatic PE information: 0xBFF75D56 [Fri Jan 22 03:39:02 2072 UTC]
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 0_2_08DE87E2 pushad ; iretd 0_2_08DE8800
                    Source: hCkkM0lH0P.exeStatic PE information: section name: .text entropy: 7.544879966198614

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: hCkkM0lH0P.exe PID: 6468, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: hCkkM0lH0P.exe, 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, hCkkM0lH0P.exe, 00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, hCkkM0lH0P.exe, 00000004.00000002.2617872188.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: 2D10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: 2B60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: 8DF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: 9DF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: 9FF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: AFF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: 1150000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: 2CB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: 12B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6865Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2626Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exe TID: 5968Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7316Thread sleep time: -6456360425798339s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7276Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exe TID: 7344Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exe TID: 7344Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exe TID: 7352Thread sleep count: 198 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exe TID: 7344Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: hCkkM0lH0P.exe, 00000004.00000002.2617872188.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: hCkkM0lH0P.exe, 00000004.00000002.2617872188.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: hCkkM0lH0P.exe, 00000000.00000002.1375574401.0000000000E82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\s
                    Source: hCkkM0lH0P.exe, 00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: hCkkM0lH0P.exe, 00000004.00000002.2616710759.000000000128D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeCode function: 4_2_011970B0 CheckRemoteDebuggerPresent,4_2_011970B0
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe"
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeProcess created: C:\Users\user\Desktop\hCkkM0lH0P.exe "C:\Users\user\Desktop\hCkkM0lH0P.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Users\user\Desktop\hCkkM0lH0P.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Users\user\Desktop\hCkkM0lH0P.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d309f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d6c010.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hCkkM0lH0P.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d6c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d309f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2617872188.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2617872188.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hCkkM0lH0P.exe PID: 6468, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hCkkM0lH0P.exe PID: 4884, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\hCkkM0lH0P.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d309f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d6c010.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hCkkM0lH0P.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d6c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d309f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2617872188.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hCkkM0lH0P.exe PID: 6468, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hCkkM0lH0P.exe PID: 4884, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d309f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d6c010.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.hCkkM0lH0P.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d6c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.hCkkM0lH0P.exe.3d309f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2617872188.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2617872188.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: hCkkM0lH0P.exe PID: 6468, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: hCkkM0lH0P.exe PID: 4884, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		531
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)261
                    Virtualization/Sandbox Evasion                    		Security Account Manager261
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares2
                    Data from Local System                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Software Packing                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp                    		DCSync34
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587623 Sample: hCkkM0lH0P.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 24 mail.apexrnun.com 2->24 26 ip-api.com 2->26 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 8 other signatures 2->36 8 hCkkM0lH0P.exe 4 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\hCkkM0lH0P.exe.log, ASCII 8->22 dropped 38 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->38 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->40 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->42 44 2 other signatures 8->44 12 hCkkM0lH0P.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 28 ip-api.com 208.95.112.1, 49747, 80 TUT-ASUS United States 12->28 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 54 Loading BitLocker PowerShell Module 16->54 18 conhost.exe 16->18         started        20 WmiPrvSE.exe 16->20         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    hCkkM0lH0P.exe71%VirustotalBrowse
                    hCkkM0lH0P.exe92%ReversingLabsByteCode-MSIL.Backdoor.FormBook
                    hCkkM0lH0P.exe100%AviraTR/AD.GenSteal.gvzir
                    hCkkM0lH0P.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		high
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high
                        mail.apexrnun.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://account.dyn.com/hCkkM0lH0P.exe, 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, hCkkM0lH0P.exe, 00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehCkkM0lH0P.exe, 00000000.00000002.1378033692.0000000002D44000.00000004.00000800.00020000.00000000.sdmp, hCkkM0lH0P.exe, 00000004.00000002.2617872188.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/DataSet1.xsdQdeletehCkkM0lH0P.exefalse
                                  		high
                                  http://ip-api.comhCkkM0lH0P.exe, 00000004.00000002.2617872188.0000000002CB1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    208.95.112.1
                                    		ip-api.comUnited States
                                    		53334TUT-ASUSfalse

                                    General Information

                                    Joe Sandbox version:42.0.0 Malachite
                                    Analysis ID:1587623
                                    Start date and time:2025-01-10 15:53:47 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 5m 42s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:11
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:hCkkM0lH0P.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:aa7e0932069694a1e9e98868f0128d3de3bcee0de7591f12cfc491fa91fc0dd6.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@7/6@2/1
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 96%
                                    • Number of executed functions: 146
                                    • Number of non-executed functions: 10
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 184.28.90.27, 172.202.163.200
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    09:54:49API Interceptor2x Sleep call for process: hCkkM0lH0P.exe modified
                                    09:54:52API Interceptor15x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    208.95.112.1sDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    driver.exeGet hashmaliciousBlank GrabberBrowse
                                    • ip-api.com/json/?fields=225545
                                    XClient.exeGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    p.exeGet hashmaliciousUnknownBrowse
                                    • ip-api.com/csv/?fields=query

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    s-part-0017.t-0009.t-msedge.netRSLMZxqebl.exeGet hashmaliciousFormBookBrowse
                                    • 13.107.246.45
                                    nRNzqQOQwk.exeGet hashmaliciousGuLoaderBrowse
                                    • 13.107.246.45
                                    PO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                    • 13.107.246.45
                                    PO-0005082025 pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                    • 13.107.246.45
                                    Shipping Document.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                    • 13.107.246.45
                                    1712226379134618467.jsGet hashmaliciousStrela DownloaderBrowse
                                    • 13.107.246.45
                                    https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    https://www.filemail.com/d/rxythqchkhluipl?skipreg=trueGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    https://eu.jotform.com/app/250092704521347Get hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    http://loginmicrosoftonline.Bdo.scoremasters.gr/cache/cdn?email=christian.wernli@bdo.chGet hashmaliciousUnknownBrowse
                                    • 13.107.246.45
                                    ip-api.comsDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    driver.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    XClient.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    p.exeGet hashmaliciousUnknownBrowse
                                    • 208.95.112.1

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    TUT-ASUSsDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    driver.exeGet hashmaliciousBlank GrabberBrowse
                                    • 208.95.112.1
                                    XClient.exeGet hashmaliciousXWormBrowse
                                    • 208.95.112.1
                                    Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                    • 208.95.112.1
                                    p.exeGet hashmaliciousUnknownBrowse
                                    • 208.95.112.1

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hCkkM0lH0P.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\hCkkM0lH0P.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:true
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2232
                                    Entropy (8bit):5.379460230152629
                                    Encrypted:false
                                    SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:fLHyIFKL3IZ2KRH9Oug8s
                                    MD5:5EDBE2AEEFE69FB36ECED2E31AC9386F
                                    SHA1:6614C7900E4994E1A3606D22916BE68F701A19D4
                                    SHA-256:4275A59302475C8198165F4EB61EA2A88BD12056EA6EE5197C1BF8E6B6A6F9FD
                                    SHA-512:CFBAB752BE8CB209B25F2D1AD30E08E5E7ADB2EE5B4CCE98DCFD20B05E4B1CEFFCB6551556B134A2123412C864A8A544701C846F204783D99CB58936DC086A76
                                    Malicious:false
                                    Reputation:moderate, very likely benign file
                                    Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_geugiseg.ysf.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oytjxpjm.vws.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rbp5ty1d.usf.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xkvv0hgf.uqp.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.535242607623147
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:hCkkM0lH0P.exe
                                    File size:829'440 bytes
                                    MD5:0fbd42eaa6018baee8d8d62c2523763c
                                    SHA1:2721894c14665ebf180e94f42b5c352ac62ea7e0
                                    SHA256:aa7e0932069694a1e9e98868f0128d3de3bcee0de7591f12cfc491fa91fc0dd6
                                    SHA512:12b8df1904d1c97e6658e2ab56723c65122940b22ced7950bb4d1079fceb45c7155fc58f4dd1f2e610db4a001fcdb12d9f22dc92e4615c3ae133def1ea84230a
                                    SSDEEP:12288:egmEIAB7wrQ3Hb13rbJxGnDEFc2WJp/pc0X3rgkesXQgMbA4cD6TOgO0:WE9r37rxGn4FcNJcogk9qcDw20
                                    TLSH:0B05BF1476548F53CA7987F93871E07113F85FAEA02EF2555DC26EEBB9A2F008950E83
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...V]................0.................. ........@.. ....................................@................................

                                    File Icon

                                    Icon Hash:90cececece8e8eb0

                                    Static PE Info

                                    General

                                    Entrypoint:0x4cba8e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0xBFF75D56 [Fri Jan 22 03:39:02 2072 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xcba3a0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xcc0000x61c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xce0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xc7a140x70.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xc9a940xc9c00c35d0a40adbfc4d1d725638a79950b93False0.8118332268432465data7.544879966198614IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xcc0000x61c0x8003c7dd3e77eeba4d4ac626e462b4a6489False0.3369140625data3.4540976808955652IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xce0000xc0x200d9c033ed3985c66bf08f893a3aee7985False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0xcc0900x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.42180616740088106
                                    RT_MANIFEST0xcc42c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 10, 2025 15:54:52.983196020 CET4974780192.168.2.11208.95.112.1
                                    Jan 10, 2025 15:54:52.987960100 CET8049747208.95.112.1192.168.2.11
                                    Jan 10, 2025 15:54:52.988020897 CET4974780192.168.2.11208.95.112.1
                                    Jan 10, 2025 15:54:52.989007950 CET4974780192.168.2.11208.95.112.1
                                    Jan 10, 2025 15:54:52.993760109 CET8049747208.95.112.1192.168.2.11
                                    Jan 10, 2025 15:54:53.459295034 CET8049747208.95.112.1192.168.2.11
                                    Jan 10, 2025 15:54:53.566693068 CET4974780192.168.2.11208.95.112.1
                                    Jan 10, 2025 15:55:44.176635981 CET4974780192.168.2.11208.95.112.1
                                    Jan 10, 2025 15:55:44.181760073 CET8049747208.95.112.1192.168.2.11
                                    Jan 10, 2025 15:55:44.181833029 CET4974780192.168.2.11208.95.112.1

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 10, 2025 15:54:52.961042881 CET6507553192.168.2.111.1.1.1
                                    Jan 10, 2025 15:54:52.968019009 CET53650751.1.1.1192.168.2.11
                                    Jan 10, 2025 15:54:54.171463013 CET6421853192.168.2.111.1.1.1
                                    Jan 10, 2025 15:54:54.181550026 CET53642181.1.1.1192.168.2.11

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jan 10, 2025 15:54:52.961042881 CET192.168.2.111.1.1.10xccc2Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                    Jan 10, 2025 15:54:54.171463013 CET192.168.2.111.1.1.10x35cdStandard query (0)mail.apexrnun.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jan 10, 2025 15:54:45.937536001 CET1.1.1.1192.168.2.110x96c6No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                    Jan 10, 2025 15:54:45.937536001 CET1.1.1.1192.168.2.110x96c6No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                    Jan 10, 2025 15:54:52.968019009 CET1.1.1.1192.168.2.110xccc2No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                    Jan 10, 2025 15:54:54.181550026 CET1.1.1.1192.168.2.110x35cdName error (3)mail.apexrnun.comnonenoneA (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • ip-api.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.1149747208.95.112.1804884C:\Users\user\Desktop\hCkkM0lH0P.exe
                                    TimestampBytes transferredDirectionData
                                    Jan 10, 2025 15:54:52.989007950 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                    Host: ip-api.com
                                    Connection: Keep-Alive
                                    Jan 10, 2025 15:54:53.459295034 CET175INHTTP/1.1 200 OK
                                    Date: Fri, 10 Jan 2025 14:54:53 GMT
                                    Content-Type: text/plain; charset=utf-8
                                    Content-Length: 6
                                    Access-Control-Allow-Origin: *
                                    X-Ttl: 11
                                    X-Rl: 43
                                    Data Raw: 66 61 6c 73 65 0a
                                    Data Ascii: false


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:09:54:48
                                    Start date:10/01/2025
                                    Path:C:\Users\user\Desktop\hCkkM0lH0P.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\hCkkM0lH0P.exe"
                                    Imagebase:0x960000
                                    File size:829'440 bytes
                                    MD5 hash:0FBD42EAA6018BAEE8D8D62C2523763C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1386426356.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:09:54:49
                                    Start date:10/01/2025
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hCkkM0lH0P.exe"
                                    Imagebase:0xc00000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:09:54:49
                                    Start date:10/01/2025
                                    Path:C:\Users\user\Desktop\hCkkM0lH0P.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\hCkkM0lH0P.exe"
                                    Imagebase:0x940000
                                    File size:829'440 bytes
                                    MD5 hash:0FBD42EAA6018BAEE8D8D62C2523763C
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2615899257.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2617872188.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2617872188.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2617872188.0000000002D0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:5
                                    Start time:09:54:49
                                    Start date:10/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff68cce0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:09:54:53
                                    Start date:10/01/2025
                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x7ff6220e0000
                                    File size:496'640 bytes
                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:8.1%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:56
                                      Total number of Limit Nodes:1
                                      execution_graph 25737 2b0acb0 25741 2b0ad97 25737->25741 25751 2b0ada8 25737->25751 25738 2b0acbf 25742 2b0ada8 25741->25742 25745 2b0addc 25742->25745 25761 2b0a0cc 25742->25761 25745->25738 25746 2b0afe0 GetModuleHandleW 25748 2b0b00d 25746->25748 25747 2b0add4 25747->25745 25747->25746 25748->25738 25752 2b0adb9 25751->25752 25755 2b0addc 25751->25755 25753 2b0a0cc GetModuleHandleW 25752->25753 25754 2b0adc4 25753->25754 25754->25755 25759 2b0b040 GetModuleHandleW 25754->25759 25760 2b0b031 2 API calls 25754->25760 25755->25738 25756 2b0afe0 GetModuleHandleW 25758 2b0b00d 25756->25758 25757 2b0add4 25757->25755 25757->25756 25758->25738 25759->25757 25760->25757 25762 2b0af98 GetModuleHandleW 25761->25762 25764 2b0adc4 25762->25764 25764->25745 25765 2b0b040 25764->25765 25768 2b0b031 25764->25768 25766 2b0a0cc GetModuleHandleW 25765->25766 25767 2b0b054 25766->25767 25767->25747 25769 2b0afd9 GetModuleHandleW 25768->25769 25770 2b0b03a 25768->25770 25773 2b0b00d 25769->25773 25772 2b0a0cc GetModuleHandleW 25770->25772 25774 2b0b054 25772->25774 25773->25747 25774->25747 25775 2b0d040 25776 2b0d086 25775->25776 25780 2b0d628 25776->25780 25783 2b0d618 25776->25783 25777 2b0d173 25787 2b0d27c 25780->25787 25784 2b0d628 25783->25784 25785 2b0d27c DuplicateHandle 25784->25785 25786 2b0d656 25785->25786 25786->25777 25788 2b0d690 DuplicateHandle 25787->25788 25789 2b0d656 25788->25789 25789->25777 25790 2b04668 25791 2b0467a 25790->25791 25792 2b04686 25791->25792 25794 2b04780 25791->25794 25795 2b047a5 25794->25795 25799 2b04890 25795->25799 25803 2b04881 25795->25803 25801 2b048b7 25799->25801 25800 2b04994 25800->25800 25801->25800 25807 2b044b4 25801->25807 25805 2b04890 25803->25805 25804 2b04994 25804->25804 25805->25804 25806 2b044b4 CreateActCtxA 25805->25806 25806->25804 25808 2b05920 CreateActCtxA 25807->25808 25810 2b059d7 25808->25810

                                      Executed Functions

                                      Function 08DEB908 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 326 8deb908-8deb92b 327 8deb92d 326->327 328 8deb932-8deb972 326->328 327->328 329 8deba73-8deba92 call 8debb20 328->329 336 8deb9cf-8deb9d0 329->336 337 8deb97d-8deb982 329->337 336->337 339 8deb988-8deb989 337->339 340 8deba52-8deba6b 337->340 339->340 342 8deb9f5-8deba1d call 8dec108 340->342 348 8deba4f-8deba50 342->348 349 8deba1f-8deba23 348->349 350 8deb9de-8deb9f3 349->350 351 8deba25-8debb07 349->351 350->342 355 8deba28-8deba4d 350->355 362 8debb09 call 8decc1e 351->362 363 8debb09 call 8deccaf 351->363 364 8debb09 call 8decab6 351->364 365 8debb09 call 8deca55 351->365 366 8debb09 call 8decb45 351->366 355->348 358 8deba6d-8deba71 355->358 358->329 358->349 361 8debb0f-8debb19 362->361 363->361 364->361 365->361 366->361
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Telq$Telq
                                      • API String ID: 0-229388037
                                      • Opcode ID: aaa833167e4f971b03e43550c611950ccc626ebbac1027b55e7b2b6e1d7a71f5
                                      • Instruction ID: 2cfc56d1539b12c5240d3d8d58bdcef947c944b828e4c4aa081907be9aeecd85
                                      • Opcode Fuzzy Hash: aaa833167e4f971b03e43550c611950ccc626ebbac1027b55e7b2b6e1d7a71f5
                                      • Instruction Fuzzy Hash: 7B71E374E042188FCB04DFAAC8846EDBBF6BF88311F10912AE559BB355D774A905CB50
                                      Function 08DEB8F8 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 369 8deb8f8-8deb92b 372 8deb92d 369->372 373 8deb932-8deb972 369->373 372->373 374 8deba73-8deba92 call 8debb20 373->374 381 8deb9cf-8deb9d0 374->381 382 8deb97d-8deb982 374->382 381->382 384 8deb988-8deb989 382->384 385 8deba52-8deba6b 382->385 384->385 387 8deb9f5-8deba1d call 8dec108 385->387 393 8deba4f-8deba50 387->393 394 8deba1f-8deba23 393->394 395 8deb9de-8deb9f3 394->395 396 8deba25-8debb07 394->396 395->387 400 8deba28-8deba4d 395->400 409 8debb09 call 8decc1e 396->409 410 8debb09 call 8deccaf 396->410 411 8debb09 call 8decab6 396->411 412 8debb09 call 8deca55 396->412 413 8debb09 call 8decb45 396->413 400->393 403 8deba6d-8deba71 400->403 403->374 403->394 406 8debb0f-8debb19 409->406 410->406 411->406 412->406 413->406
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Telq$Telq
                                      • API String ID: 0-229388037
                                      • Opcode ID: 00fd9241f699f4c8d58c6306df579774268e8ad27cd8bba9913afc5204aefedc
                                      • Instruction ID: fc3411f38b0f09c1562915ee615d2d272e770f63370b964212e594bcf80096bf
                                      • Opcode Fuzzy Hash: 00fd9241f699f4c8d58c6306df579774268e8ad27cd8bba9913afc5204aefedc
                                      • Instruction Fuzzy Hash: 6551D674E04208CFCB04DFAAD8446EDBBF6BF89311F10912AE959BB354DB74A946CB50
                                      Function 08DE6A90 Relevance: 2.6, Strings: 2, Instructions: 71COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 414 8de6a90-8de6aa3 415 8de6ac2-8de6ac9 414->415 416 8de6ad1-8de6b15 415->416 421 8de6aa5-8de6aa8 416->421 422 8de6aaa 421->422 423 8de6ab1-8de6ac0 421->423 422->415 422->423 424 8de6b17-8de6b1d 422->424 423->421 425 8de6b1f 424->425 426 8de6b21-8de6b2d 424->426 428 8de6b2f-8de6b3e 425->428 426->428 431 8de6b56-8de6b69 428->431 432 8de6b40-8de6b46 428->432 433 8de6b4a-8de6b4c 432->433 434 8de6b48 432->434 433->431 434->431
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8pq$8pq
                                      • API String ID: 0-3067674588
                                      • Opcode ID: 1b932d5ab0bb9d255d3d2e74892493fee64a568b61f223c1b6b2b4250bb4f9e3
                                      • Instruction ID: d17a5674a05c05cf9b3d834a91e37d0d0112250aa4f2099e333878b2ff5c4576
                                      • Opcode Fuzzy Hash: 1b932d5ab0bb9d255d3d2e74892493fee64a568b61f223c1b6b2b4250bb4f9e3
                                      • Instruction Fuzzy Hash: 8121E770B44204DFDB14BB79A91496ABBEAEBE8341B10466AF106E7394EE70DD01C792
                                      Function 02B0ADA8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 436 2b0ada8-2b0adb7 437 2b0ade3-2b0ade7 436->437 438 2b0adb9-2b0adc6 call 2b0a0cc 436->438 440 2b0ade9-2b0adf3 437->440 441 2b0adfb-2b0ae3c 437->441 443 2b0adc8 438->443 444 2b0addc 438->444 440->441 447 2b0ae49-2b0ae57 441->447 448 2b0ae3e-2b0ae46 441->448 492 2b0adce call 2b0b040 443->492 493 2b0adce call 2b0b031 443->493 444->437 449 2b0ae59-2b0ae5e 447->449 450 2b0ae7b-2b0ae7d 447->450 448->447 452 2b0ae60-2b0ae67 call 2b0a0d8 449->452 453 2b0ae69 449->453 455 2b0ae80-2b0ae87 450->455 451 2b0add4-2b0add6 451->444 454 2b0af18-2b0afd8 451->454 457 2b0ae6b-2b0ae79 452->457 453->457 487 2b0afe0-2b0b00b GetModuleHandleW 454->487 488 2b0afda-2b0afdd 454->488 458 2b0ae94-2b0ae9b 455->458 459 2b0ae89-2b0ae91 455->459 457->455 461 2b0aea8-2b0aeaa call 2b0a0e8 458->461 462 2b0ae9d-2b0aea5 458->462 459->458 466 2b0aeaf-2b0aeb1 461->466 462->461 467 2b0aeb3-2b0aebb 466->467 468 2b0aebe-2b0aec3 466->468 467->468 469 2b0aee1-2b0aeee 468->469 470 2b0aec5-2b0aecc 468->470 477 2b0aef0-2b0af0e 469->477 478 2b0af11-2b0af17 469->478 470->469 472 2b0aece-2b0aede call 2b0a0f8 call 2b0a108 470->472 472->469 477->478 489 2b0b014-2b0b028 487->489 490 2b0b00d-2b0b013 487->490 488->487 490->489 492->451 493->451
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1377814386.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: d19ef111782de605216b2aeeb2f07a29105e700df0087bc6dad1c9beff301f29
                                      • Instruction ID: 5673cc3e91d01b69a513db4f006234d6d0ab3dd8a6349fe6ddea677c38cacb0b
                                      • Opcode Fuzzy Hash: d19ef111782de605216b2aeeb2f07a29105e700df0087bc6dad1c9beff301f29
                                      • Instruction Fuzzy Hash: E3716670A00B058FD725DF29D48575ABBF1FF88304F108A6DE18AD7A90DB75E849CB90
                                      Function 02B044B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 494 2b044b4-2b059e1 CreateActCtxA 497 2b059e3-2b059e9 494->497 498 2b059ea-2b05a44 494->498 497->498 505 2b05a53-2b05a57 498->505 506 2b05a46-2b05a49 498->506 507 2b05a68-2b05a98 505->507 508 2b05a59-2b05a65 505->508 506->505 512 2b05a4a-2b05a52 507->512 513 2b05a9a-2b05b1c 507->513 508->507 512->505 516 2b059d7-2b059e1 512->516 516->497 516->498
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 02B059D1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1377814386.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 93908d7141938086e3e60786b90339b24b6aae43811fd775455f6d735f47159e
                                      • Instruction ID: a52b4d111cbf11220c530bf1088b1a4f616788f4e593b5b2cbd3795f4cfb2b27
                                      • Opcode Fuzzy Hash: 93908d7141938086e3e60786b90339b24b6aae43811fd775455f6d735f47159e
                                      • Instruction Fuzzy Hash: 9A41E2B0C0061DCBDB24DFAAC888B8DBBF5FF49304F60806AD418AB255DB756949CF90
                                      Function 02B05914 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 517 2b05914-2b059e1 CreateActCtxA 519 2b059e3-2b059e9 517->519 520 2b059ea-2b05a44 517->520 519->520 527 2b05a53-2b05a57 520->527 528 2b05a46-2b05a49 520->528 529 2b05a68-2b05a98 527->529 530 2b05a59-2b05a65 527->530 528->527 534 2b05a4a-2b05a52 529->534 535 2b05a9a-2b05b1c 529->535 530->529 534->527 538 2b059d7-2b059e1 534->538 538->519 538->520
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 02B059D1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1377814386.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: b37a5df80afeaeb37c16a1df46d47508ef8ed1d09ee7b9b38e7493e56bf0c06b
                                      • Instruction ID: bde72db1a0ad9624c66e1d27b5dfac70c19109e21efe8e80ca7082852ae5564a
                                      • Opcode Fuzzy Hash: b37a5df80afeaeb37c16a1df46d47508ef8ed1d09ee7b9b38e7493e56bf0c06b
                                      • Instruction Fuzzy Hash: D541E2B1C00619CFDB24CFAAC884BCDBBF1BF49704F60806AD418AB255DB756949CF50
                                      Function 02B0D27C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 539 2b0d27c-2b0d724 DuplicateHandle 541 2b0d726-2b0d72c 539->541 542 2b0d72d-2b0d74a 539->542 541->542
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B0D656,?,?,?,?,?), ref: 02B0D717
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1377814386.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 6d6e26a979d5b6641947b5c43e0a530505f6bd55cc1ba45f761ad628a7072cfd
                                      • Instruction ID: b9ee67ad98067de5f3c60d09dbcb17fb6ca9c13bf2dc146fe773c35334cbe47a
                                      • Opcode Fuzzy Hash: 6d6e26a979d5b6641947b5c43e0a530505f6bd55cc1ba45f761ad628a7072cfd
                                      • Instruction Fuzzy Hash: DA21E3B5900249AFDB10CFAAD584AEEFFF8EB48310F14845AE918B3350D374A954CFA5
                                      Function 02B0D688 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 545 2b0d688-2b0d724 DuplicateHandle 546 2b0d726-2b0d72c 545->546 547 2b0d72d-2b0d74a 545->547 546->547
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B0D656,?,?,?,?,?), ref: 02B0D717
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1377814386.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: c24d2d583a39b35a1e7f30b8196493ff2107603f99c38e12ff01792e2fa871be
                                      • Instruction ID: 66e71af55bba640b466a23cab70f2983a0419113a5482b69e545cb8f527dfd09
                                      • Opcode Fuzzy Hash: c24d2d583a39b35a1e7f30b8196493ff2107603f99c38e12ff01792e2fa871be
                                      • Instruction Fuzzy Hash: E421E2B5D00249AFDB10CFA9D985AEEBBF4EB48314F14845AE918B3350D378A944CFA1
                                      Function 02B0B031 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 550 2b0b031-2b0b038 551 2b0afd9-2b0b00b GetModuleHandleW 550->551 552 2b0b03a-2b0b056 call 2b0a0cc 550->552 556 2b0b014-2b0b028 551->556 557 2b0b00d-2b0b013 551->557 560 2b0b086-2b0b08b 552->560 561 2b0b058-2b0b069 call 2b0a124 552->561 557->556 564 2b0b06b-2b0b074 call 2b0a130 561->564 565 2b0b07d-2b0b084 call 2b0a13c 561->565 568 2b0b079-2b0b07b 564->568 565->560 568->560
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02B0ADC4), ref: 02B0AFFE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1377814386.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 061ea6a1c1e27ded013c481b9477c61b79d29479240cece5fcd44b9227a95479
                                      • Instruction ID: e95b6acfa547651a99f6e8576a6bda14bc86811e5197dc5bcb2948fd0e34a982
                                      • Opcode Fuzzy Hash: 061ea6a1c1e27ded013c481b9477c61b79d29479240cece5fcd44b9227a95479
                                      • Instruction Fuzzy Hash: B1119476A003049BD715DF5AD884B9ABBF5EB88314F0484A9D518A7290D775A845CFA0
                                      Function 02B0A0CC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 570 2b0a0cc-2b0afd8 572 2b0afe0-2b0b00b GetModuleHandleW 570->572 573 2b0afda-2b0afdd 570->573 574 2b0b014-2b0b028 572->574 575 2b0b00d-2b0b013 572->575 573->572 575->574
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,02B0ADC4), ref: 02B0AFFE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1377814386.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: b42f8cd82134349e6ed2d422cc9be295469db1a9118e58867dc3c063ed051e88
                                      • Instruction ID: a9eb38618b3f99f2f5324a9bfaa5520e1e8e54896a2aeedce50652c110f65550
                                      • Opcode Fuzzy Hash: b42f8cd82134349e6ed2d422cc9be295469db1a9118e58867dc3c063ed051e88
                                      • Instruction Fuzzy Hash: 241102B6D043498FCB20DF9AC484B9EFBF4EB48314F10846AD529B7250D379A545CFA1
                                      Function 08DE5C71 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 631 8de5c71-8de5ce9 637 8de5cf1-8de5cf7 631->637 662 8de5cfa call 8de5ee8 637->662 663 8de5cfa call 8de5ea6 637->663 664 8de5cfa call 8de6020 637->664 638 8de5d00-8de5e9c call 8de5380 662->638 663->638 664->638
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %*&/)(#$^@!~-_
                                      • API String ID: 0-3325533558
                                      • Opcode ID: c582fa03fe903dd0a2fb35047251ed0429d9c0315416c5301f12105be18b98f4
                                      • Instruction ID: 54ad70aca7e0e982053a1334790b228b3239dab8cb8a4b93ded604d4472d2ebc
                                      • Opcode Fuzzy Hash: c582fa03fe903dd0a2fb35047251ed0429d9c0315416c5301f12105be18b98f4
                                      • Instruction Fuzzy Hash: 1951AD31B002449FDB04BB74E4596ADBBB3FF89300F5485A9D881AF399CF31A949C781
                                      Function 08DE5C80 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 665 8de5c80-8de5cf7 696 8de5cfa call 8de5ee8 665->696 697 8de5cfa call 8de5ea6 665->697 698 8de5cfa call 8de6020 665->698 672 8de5d00-8de5e9c call 8de5380 696->672 697->672 698->672
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: %*&/)(#$^@!~-_
                                      • API String ID: 0-3325533558
                                      • Opcode ID: 3e0be6e0da51c73e9f384b72a44276c860736aaf44ae1d8b3b8cbe40be247f46
                                      • Instruction ID: c1562bcd736e12a4ea6b077b8b37e916ff36cb33eee3a9f55c67ace0b64892f5
                                      • Opcode Fuzzy Hash: 3e0be6e0da51c73e9f384b72a44276c860736aaf44ae1d8b3b8cbe40be247f46
                                      • Instruction Fuzzy Hash: C351BE31B002449FDB04BB74E5596AEBBB2FF88300F5485A9D881AF399CF71AD45C781
                                      Function 08DE6A80 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 8pq
                                      • API String ID: 0-1942323134
                                      • Opcode ID: ea3ae0c0253abd183a54356a3a53d57df998540362085510b3c3d2ba66b0218d
                                      • Instruction ID: 65d1cebd7138806c4f23667638f7811db6c19461ada9a0cfaac3505bc322d527
                                      • Opcode Fuzzy Hash: ea3ae0c0253abd183a54356a3a53d57df998540362085510b3c3d2ba66b0218d
                                      • Instruction Fuzzy Hash: 43210670B04200CFDB14AB79A91466A7BF6EFA8342B14427AF242DB395EB74CD01C752
                                      Function 08DE16A0 Relevance: .5, Instructions: 523COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 224f7cd37c2eae35666352c6568b7e353012c39bcfb797575b7e4c749d4fc275
                                      • Instruction ID: e76825baf9183423808f9775a55bca210335587706cc2c0969544465c588ecce
                                      • Opcode Fuzzy Hash: 224f7cd37c2eae35666352c6568b7e353012c39bcfb797575b7e4c749d4fc275
                                      • Instruction Fuzzy Hash: DD42E230E1061DCFCF15EFA8C8456ECBBB1BF49301F518299D5897B264EB309A99CB81
                                      Function 08DE1691 Relevance: .5, Instructions: 518COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0b0432783b2b44917ecaaa2a5f8a0b53413be70eb265430bfea14673d74be7be
                                      • Instruction ID: 1494074e085ba6be12e2926ee45b0a96969bd51da138f788e1b2d43b99cf6a5f
                                      • Opcode Fuzzy Hash: 0b0432783b2b44917ecaaa2a5f8a0b53413be70eb265430bfea14673d74be7be
                                      • Instruction Fuzzy Hash: F442E330E10619CFCF15EFA8C8456ECBBB1BF49301F518299D5897B265EB309A99CF81
                                      Function 08DE2808 Relevance: .5, Instructions: 473COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 72678fc32115d3fb26acf24e25d30298ee49db1463b6ccac7d11560c6842e02c
                                      • Instruction ID: 83ff4dc0f78521df4643470ab35dbc87e157338e64f8fe4f7643918e58d33434
                                      • Opcode Fuzzy Hash: 72678fc32115d3fb26acf24e25d30298ee49db1463b6ccac7d11560c6842e02c
                                      • Instruction Fuzzy Hash: 47224F31A00709DFCF15EF64C8506DDBBB6FF85340F10869AE949AB250EB71EA85CB91
                                      Function 08DEBB20 Relevance: .3, Instructions: 268COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7d241bde303dc42fc4e28a7c024c5baf547e9a49da4d5a28cdf0e54a6d5747b
                                      • Instruction ID: 488c356788034b9a1f570e658192506e05f8ffc4b58b8673e79ff183a2b54860
                                      • Opcode Fuzzy Hash: e7d241bde303dc42fc4e28a7c024c5baf547e9a49da4d5a28cdf0e54a6d5747b
                                      • Instruction Fuzzy Hash: 8CB12B74E0521ADFDB04EFA8D580AEDBBB6FF48310F109626E449AB359DB30A945CF40
                                      Function 08DE0CF8 Relevance: .2, Instructions: 207COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c589d08db4afca250997c8aa7029814631fd9f302e7f42e80440bf7c610b9fdd
                                      • Instruction ID: dba415cc9c59793f9fc51045ed686e75dd0dce9a35c90f35bab827217f23015c
                                      • Opcode Fuzzy Hash: c589d08db4afca250997c8aa7029814631fd9f302e7f42e80440bf7c610b9fdd
                                      • Instruction Fuzzy Hash: 79819030A10A09DFCB11FF68D4886ADBFB1FF45341F504669E485A72A4EBB0DD65CB80
                                      Function 08DE7F17 Relevance: .2, Instructions: 166COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6d4b64af620846047c233a5a0bd570a38945f9d809a20237ac695ebc65a46f8b
                                      • Instruction ID: 6d477bc8fe97c5e8d297e98480a4f93de4c4d61641e9998ce0384f63bd44c882
                                      • Opcode Fuzzy Hash: 6d4b64af620846047c233a5a0bd570a38945f9d809a20237ac695ebc65a46f8b
                                      • Instruction Fuzzy Hash: E451F474E0014AAFDB14EFA9C8417BEBFB2BB44311F108226F591A73D4CB349C428B90
                                      Function 08DE8CA8 Relevance: .2, Instructions: 156COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ce0e0ba5dc22dcc2f3b9c6b94a39c63cda13be87bc0920d942d01bf3f9781ce5
                                      • Instruction ID: a9f9a03e0554a741d6490a84204741ef1dfa8fd839fa4d08875b69c9d580be45
                                      • Opcode Fuzzy Hash: ce0e0ba5dc22dcc2f3b9c6b94a39c63cda13be87bc0920d942d01bf3f9781ce5
                                      • Instruction Fuzzy Hash: D0512631B092548FC715AF6988406AA7FA2EF86B42F0486BBF186DB2D6C674D805D352
                                      Function 08DEC108 Relevance: .1, Instructions: 132COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4bed18d663ecc74f1a6f57ff2b794e32b49846403e9ccaf8cdd3b3d4cef57f09
                                      • Instruction ID: fe63155bd872706c9e0c811ee6f60405096e1fcc10d2c09e883114b234fe43c0
                                      • Opcode Fuzzy Hash: 4bed18d663ecc74f1a6f57ff2b794e32b49846403e9ccaf8cdd3b3d4cef57f09
                                      • Instruction Fuzzy Hash: 4D412A74D29208CFDB04DFAAC8406FEBBF6AF8D342F14D16AE459A3251D7348941CB64
                                      Function 08DE3F70 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 642283b3064b40647587cd9dfd87fd864022958834fbabbf3a1a7d591a498910
                                      • Instruction ID: a828178d636659c0585cd95f0986436b465333735c5171783eafd9bb7fc22c9c
                                      • Opcode Fuzzy Hash: 642283b3064b40647587cd9dfd87fd864022958834fbabbf3a1a7d591a498910
                                      • Instruction Fuzzy Hash: 01513D71E0064ACBCF10DFA8C881AADB7F1FF88211F14866AE459E7301D734A995CBA0
                                      Function 08DE6020 Relevance: .1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5a9af646395a709811a277ec747f54ecba7bf02801583ca74584d84abb640aaa
                                      • Instruction ID: b09fed068a60d447ed209c75a5f84854a5d9e4d8c42f37ef5d1cd1f0503dc2ca
                                      • Opcode Fuzzy Hash: 5a9af646395a709811a277ec747f54ecba7bf02801583ca74584d84abb640aaa
                                      • Instruction Fuzzy Hash: 3241BFB0D05208EFC725EFA5E5246AEBBB2FF60300F24C19AD0159B366E734CA05CB95
                                      Function 08DE03C4 Relevance: .1, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a334980cac7461e613934d1db807eb89a108651cdcb1406938da95fa1ecc7dca
                                      • Instruction ID: afe7d339e7dccc9217dd71e2ed389fea985af6f941d0d3eaf2de7ba6391c25e8
                                      • Opcode Fuzzy Hash: a334980cac7461e613934d1db807eb89a108651cdcb1406938da95fa1ecc7dca
                                      • Instruction Fuzzy Hash: AD418070F045569FDF01BF64C958BAE7BB0BB44383F104A29F582E7294EA74C911CB91
                                      Function 08DE0F70 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d127c2bba00fd926afc4633f53f6fc3a995b8a88a997bbda03e8ac1b5a02346a
                                      • Instruction ID: 6cfcd93b2b2d5eab87308d38d1a194cf9d5fb8f7d509bae8d5e5450ecde226bf
                                      • Opcode Fuzzy Hash: d127c2bba00fd926afc4633f53f6fc3a995b8a88a997bbda03e8ac1b5a02346a
                                      • Instruction Fuzzy Hash: 0C41D270F046969FDF02BF60C954BAE7BF0BB44283F10066AF482E7295EA34C911CB91
                                      Function 08DE5B34 Relevance: .1, Instructions: 102COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bbdce2a11b0fc1a440a8484079083e3e233f84b7e07e16e8e551ebf284c0d212
                                      • Instruction ID: 4a57e42113d42f33c7987083e884d019434b1a41be6e283085f9090619de6038
                                      • Opcode Fuzzy Hash: bbdce2a11b0fc1a440a8484079083e3e233f84b7e07e16e8e551ebf284c0d212
                                      • Instruction Fuzzy Hash: 3E317CB5900208AFCB10DFA9D884ADEBFF5EF49360F10842AE809E7310D735A940CBA0
                                      Function 08DE5EA6 Relevance: .1, Instructions: 101COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 778262a4d5d9820bb5920f31344281b50f331f4c983288196abdf57f2b7f8d09
                                      • Instruction ID: 21e54366fa2257950134f9c78760b019e00bbb8ea0c8e0de4c647eac5aa823f8
                                      • Opcode Fuzzy Hash: 778262a4d5d9820bb5920f31344281b50f331f4c983288196abdf57f2b7f8d09
                                      • Instruction Fuzzy Hash: 1131C07070D3804FC7166B74A8293A93FF2AB46256F1942ABE582CB2D3CD788C05C762
                                      Function 08DE8E80 Relevance: .1, Instructions: 90COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d2d3dbc623c6eba818a983a61ff6047dbe6c9ca9ff06a31d6a9f6d9228fb46d
                                      • Instruction ID: 5320fe846690f51ad5a62d9123487f9ebfa33dcbe789274dfcc2e64c23221f36
                                      • Opcode Fuzzy Hash: 1d2d3dbc623c6eba818a983a61ff6047dbe6c9ca9ff06a31d6a9f6d9228fb46d
                                      • Instruction Fuzzy Hash: F331FC70904645CFCB24EF69C4002BAFBF2FB84306F1082BAE595E7291DB39D901DBA1
                                      Function 08DE8B18 Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9a824705d27b249a8e22db6b9b9db3e5193b6eefbab4bac846c5b59c6ce00928
                                      • Instruction ID: 94167c83e500a0cf758d90d34cb6fd4cf92dbb2dc8125d0b98c771bcc1acc59c
                                      • Opcode Fuzzy Hash: 9a824705d27b249a8e22db6b9b9db3e5193b6eefbab4bac846c5b59c6ce00928
                                      • Instruction Fuzzy Hash: A231C0B0A05248CFD710AFA9CD8166AFBF4AF46292F04867BF496D7291D334D940D751
                                      Function 08DE5EE8 Relevance: .1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 674a03c625c97f0d810de203d21a5390430636976b04eacdd524e6acdbabc39a
                                      • Instruction ID: ad51c88472c78258c44af045b55365b64a3208d634877ce32324a068e4b0adea
                                      • Opcode Fuzzy Hash: 674a03c625c97f0d810de203d21a5390430636976b04eacdd524e6acdbabc39a
                                      • Instruction Fuzzy Hash: E021BC707142048FC7086B79A81D66E7FE7AB89396F14826AF646C73D5CE748C01C7A2
                                      Function 08DE3EA0 Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5a1b21d55ccf75d2bb9c485fd66454655a4fb590d615daeb57f8eaea45c4d280
                                      • Instruction ID: 6c1dcf5b64c27f14feced4c48797937585c2b2b34447666943562733c5504622
                                      • Opcode Fuzzy Hash: 5a1b21d55ccf75d2bb9c485fd66454655a4fb590d615daeb57f8eaea45c4d280
                                      • Instruction Fuzzy Hash: 5F214A31E00609CFCB05EBA9D4486BEB7B4EF89751F00866AE919E7350EB709985CB91
                                      Function 08DE09F8 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 006b394fda17d6c6c0a0af71f2f3a678fd306caf46613c9e296d6385f3d88f02
                                      • Instruction ID: d1ef329e99097e462db192217e438475862be082d9e9e837e0dcd261d40ce34d
                                      • Opcode Fuzzy Hash: 006b394fda17d6c6c0a0af71f2f3a678fd306caf46613c9e296d6385f3d88f02
                                      • Instruction Fuzzy Hash: 2D2115B59017099FDB20DF9AE884ADEFBF4FB48314F14842EE519A7300C375A944CBA4
                                      Function 010FD01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1376837037.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_10fd000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c57493f0c3758ba557cf0ce7e5644e758f5a0504c88a1dec6ecebace2154077c
                                      • Instruction ID: 73f4b24a9cb049649746e0f5893e5d4551d2b308fa73d10398261fc210fb4418
                                      • Opcode Fuzzy Hash: c57493f0c3758ba557cf0ce7e5644e758f5a0504c88a1dec6ecebace2154077c
                                      • Instruction Fuzzy Hash: 78212271604200DFDB15DF98D980B26BFA5EB88314F20C5ADFA8A4B656C33AD407CB61
                                      Function 010FD1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1376837037.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_10fd000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 303ee2c90dbbd0f5a5920f79d80ede0e8b720b0083e64a3c58f396f33c60d7ea
                                      • Instruction ID: 3148de4c7595a8a41296f216a88d5e9da6b98bf16396629744847d58ef52e30e
                                      • Opcode Fuzzy Hash: 303ee2c90dbbd0f5a5920f79d80ede0e8b720b0083e64a3c58f396f33c60d7ea
                                      • Instruction Fuzzy Hash: 97214979504200EFDB81DF98D5C1B26BBA5FB94324F20C5ADEA894B656C33AD406CBA1
                                      Function 08DE3848 Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9dc53ec92f48156abbf87a8e493695fa28588b38c6246a086be933ebe1eb5361
                                      • Instruction ID: 500241368c782fd00bd87e7a64a8bee4a345670d4e6659fa9e882c4e52d25963
                                      • Opcode Fuzzy Hash: 9dc53ec92f48156abbf87a8e493695fa28588b38c6246a086be933ebe1eb5361
                                      • Instruction Fuzzy Hash: AE213375A0020A8FCF04EF69C8844AEF7B9FF893507118669E905A7351EB30A945CBA1
                                      Function 08DE3839 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1fdcbb76dab64098a442de7675aa50882862d142e24cc1377c2441eb217b9131
                                      • Instruction ID: e624ce090c08930a65c462a94c2dabdc46bf02dc3ac4b22b2bbcd6bf8e173d76
                                      • Opcode Fuzzy Hash: 1fdcbb76dab64098a442de7675aa50882862d142e24cc1377c2441eb217b9131
                                      • Instruction Fuzzy Hash: 67216075B002058FCB04DF69C8885AEBBB9FF89310705456EE805E7351EB30E905CBA1
                                      Function 08DE8C98 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aa9aa50f1bceabd590eb3c111c2308911504533575eff8e473017826d354caf6
                                      • Instruction ID: 2c2d89473e44979d2d3c13d395a5a3aa6e3784098644903d34463ada4e3fcd19
                                      • Opcode Fuzzy Hash: aa9aa50f1bceabd590eb3c111c2308911504533575eff8e473017826d354caf6
                                      • Instruction Fuzzy Hash: 062190B1905219DFC714BFA9D58067ABBB1FB85242F00423BF286A6281D334D951D792
                                      Function 08DE0394 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6c7489c1b85e7387eee36bf1a8202399b741139c2b235513c8ed05eaa52a4b1a
                                      • Instruction ID: 8c6974662aef155a17e77be736220e7880ac4a4d28b9d9eed37b54301c29e29a
                                      • Opcode Fuzzy Hash: 6c7489c1b85e7387eee36bf1a8202399b741139c2b235513c8ed05eaa52a4b1a
                                      • Instruction Fuzzy Hash: D821F0B590174D9FDB20DF9AD884AAEBBF4FB48310F10842EE419A7200D3B4A944CBA4
                                      Function 08DE1FB8 Relevance: .1, Instructions: 64COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 32121bd767d2232e572e5f709332b23e77b019fbab88187ad856319f21a93e70
                                      • Instruction ID: 85d83e0619ca67afe55b6db4f2317ddff7201057e42344e80f6cda568348f4f5
                                      • Opcode Fuzzy Hash: 32121bd767d2232e572e5f709332b23e77b019fbab88187ad856319f21a93e70
                                      • Instruction Fuzzy Hash: 0E217AB49002499FCB10EF9AD449BEEBFF5EB88310F108019E955AB380D775A945CFA1
                                      Function 08DEC2A0 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7dbbedd0661e24e207f387a89c65596d6e4f8fdf8815fa96d694f58a5385a494
                                      • Instruction ID: da8a94aacb9b3eb48c04e1ab89afa3e953872d30bc1afffd28d9796cf611c6f0
                                      • Opcode Fuzzy Hash: 7dbbedd0661e24e207f387a89c65596d6e4f8fdf8815fa96d694f58a5385a494
                                      • Instruction Fuzzy Hash: EB2129B4E19209DFCB40DFA9C581AAEBBF5AB49341F609199E818A7311D3309E40DF51
                                      Function 08DE1FA9 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: abe75aa82a225a9799150e9198c97360818b5489adb7e217c1bd41ace422d533
                                      • Instruction ID: 6dc39a9f1ea547230227158485787d663338e500c7e19341fee6c665e8efa5f2
                                      • Opcode Fuzzy Hash: abe75aa82a225a9799150e9198c97360818b5489adb7e217c1bd41ace422d533
                                      • Instruction Fuzzy Hash: CA2159B49043489FCB10EF99D449BAEBFF4EB49310F10841AE954BB780C739A944CFA1
                                      Function 08DE8DA1 Relevance: .1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee0739dab5d27ac0314b3888561bca8ecad69dd87dfc1e1c0859161324914a2b
                                      • Instruction ID: 464849bdee5634c42df1c67d33bb953f4ec867ddef3757067611558ad726df25
                                      • Opcode Fuzzy Hash: ee0739dab5d27ac0314b3888561bca8ecad69dd87dfc1e1c0859161324914a2b
                                      • Instruction Fuzzy Hash: 9B110630744201CFE3146F248805B6AB7A3EBD5B52F1581BAF042CF2E5C675D842C745
                                      Function 08DEC2B0 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 11db2901a78331ba194034faa006af7171538ab7216153f609cce45f637e9462
                                      • Instruction ID: 4f12dcc02d2c867471562523a2202f9e506a9b306872656e9726131912f4c6eb
                                      • Opcode Fuzzy Hash: 11db2901a78331ba194034faa006af7171538ab7216153f609cce45f637e9462
                                      • Instruction Fuzzy Hash: E621E7B8E15209CFCB44DFA9C581AAEBBF5BB48341F6091A9E819A7711D7309E40CF91
                                      Function 08DE539C Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81631d7a7115608885c991e93dfd1cce7a9503d244636c7a0e8d9f77ee8c172d
                                      • Instruction ID: 949fb3a03dd72741fe4e20460e07a709a611209460a37f32e4787879f9cdd489
                                      • Opcode Fuzzy Hash: 81631d7a7115608885c991e93dfd1cce7a9503d244636c7a0e8d9f77ee8c172d
                                      • Instruction Fuzzy Hash: 602100B59002499FCB50DF9AD884ADEBFF4FB48320F10842AE919B7310D374A954CFA1
                                      Function 08DE4FA4 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 298da4614fb50cf6779f38fc6b618abe36931fd6b62f5fcfebe6c8061a540b6b
                                      • Instruction ID: 12e0ea2c9a7cbadf70f8e363d38838f184faa43c8acf4ec9c18d42d44531637b
                                      • Opcode Fuzzy Hash: 298da4614fb50cf6779f38fc6b618abe36931fd6b62f5fcfebe6c8061a540b6b
                                      • Instruction Fuzzy Hash: 0A1191B1D04209AFDB01EFA5D8506AE7FB2FF44301B0081EAE0559F3A5DB344A06CB91
                                      Function 08DEC34F Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fc3f4eda7e4c27868c2b1fb1003a73538ef0e9bd427f6a50c28c881d1b566d01
                                      • Instruction ID: cbf388526286b06bc808d796e3f85966feb2fed7fc9cdaa1d070fadbfc43aee8
                                      • Opcode Fuzzy Hash: fc3f4eda7e4c27868c2b1fb1003a73538ef0e9bd427f6a50c28c881d1b566d01
                                      • Instruction Fuzzy Hash: 9C114674D28208DFCB04EFA9C5409ADBFF5FB49301F1196AAE488A7212D3309A40DB41
                                      Function 010FD1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1376837037.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_10fd000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                      • Instruction ID: 8ea07771b568f0c79e72269f449c412fdec6780cfa00b991d5e18bda0fb7389a
                                      • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                      • Instruction Fuzzy Hash: DB11BB79504280DFDB42CF54C5C4B15BBA1FB84224F24C6AED9894B696C33AD40ACBA1
                                      Function 010FD017 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1376837037.00000000010FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_10fd000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                      • Instruction ID: 25e643fb9999e3ae5b84a343026ab70eb077821f5aba909f28015e587b911b8a
                                      • Opcode Fuzzy Hash: a3be7094ea246a7cddba5200c6ce82fad2e7d53e3ec886449491685f026f1607
                                      • Instruction Fuzzy Hash: 6411DD75504280CFDB16CF58D5C4B15FFA2FB84314F24C6AEE9494BA56C33AD40ACBA2
                                      Function 08DED3D0 Relevance: .1, Instructions: 51COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 51b7c263b2726460c0ad19ef9d3b49e83acddde97895413ad9d8c8d6346c12f7
                                      • Instruction ID: 84c5d0382da4b2ef087574e24307e4d20c984e4219fc58ec877fe52dee3523bd
                                      • Opcode Fuzzy Hash: 51b7c263b2726460c0ad19ef9d3b49e83acddde97895413ad9d8c8d6346c12f7
                                      • Instruction Fuzzy Hash: A5111870D05218DFDB48DF6AD4408EEBBFAAF89341F04C129E859A7351DB309841CF90
                                      Function 08DE1108 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 14ab665f3f47d042a75eb89a2ababe7ba6059ccf97ce7ac965c0c0f2d46585fc
                                      • Instruction ID: 83371a783d1b14a86c574a4efbd828bf02f2485c7014c3c9de686ba780578876
                                      • Opcode Fuzzy Hash: 14ab665f3f47d042a75eb89a2ababe7ba6059ccf97ce7ac965c0c0f2d46585fc
                                      • Instruction Fuzzy Hash: C411CE30E0020A9FDB00EF68C8526AFBBB2EF08354F008628E815A7390DB749545CBC0
                                      Function 08DE8CC7 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 53b991f6bf2244779a8079c8e893e14765384a9f397ee5e71f3881f235a85f5a
                                      • Instruction ID: a7c348ef7bc80b556cd8c916846d2cf10e9f9a234261c2de2b5715df9b4cacd2
                                      • Opcode Fuzzy Hash: 53b991f6bf2244779a8079c8e893e14765384a9f397ee5e71f3881f235a85f5a
                                      • Instruction Fuzzy Hash: 7301D2B1A05424CFC7047F98D68077AF260FB85742F00433BF696EA6C5D630D951E791
                                      Function 08DE4F02 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3cac6cfb4b0de5e596ef03c72ee57494d8904d4c09176608b46b32baf2154c21
                                      • Instruction ID: dc6f2e145705481afb029d8e0951337571b65e5692cba93ecd5dc7e7f5c437e4
                                      • Opcode Fuzzy Hash: 3cac6cfb4b0de5e596ef03c72ee57494d8904d4c09176608b46b32baf2154c21
                                      • Instruction Fuzzy Hash: 631105B1D00209AFDB41EFA9D9516AEBFB6FF44300F1085EAD055AB3A4EB341A05CB91
                                      Function 010ED745 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1376776996.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_10ed000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7497be55e18b470d4e368e11fb58eb04e8ac64d25c72206affd476287aeda1a3
                                      • Instruction ID: 584db7b989b99f0c2f6d2a3aa0a30509eee07a73c0785e96a83fe5d99bc413f6
                                      • Opcode Fuzzy Hash: 7497be55e18b470d4e368e11fb58eb04e8ac64d25c72206affd476287aeda1a3
                                      • Instruction Fuzzy Hash: B701FC710443809EE7104B5ACD8CB6ABFD8FF41320F04C56AEDC94A246E2799440C771
                                      Function 08DE1118 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 985f5e44353ae1935c9a6ff083f809a3ab3b4445b2c75fab5c4d9873ad799bab
                                      • Instruction ID: ddea095ac1d1c132dc49ddadb9f7a718880e2aef13045e369a52ca1a5776cf75
                                      • Opcode Fuzzy Hash: 985f5e44353ae1935c9a6ff083f809a3ab3b4445b2c75fab5c4d9873ad799bab
                                      • Instruction Fuzzy Hash: E5018C30E0020A9FDB04EFA8C8026AEBBB1EF48344F108629E915E7390DB74A545CBC4
                                      Function 08DED808 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 29c41920c74ea02d3741fddd22fdfe3132c25ad8071b9182e7bac3ba55e50a49
                                      • Instruction ID: 5d381bf353780c26b37e93c318fa72f22dd78be172c04cdf97011a7905ed971f
                                      • Opcode Fuzzy Hash: 29c41920c74ea02d3741fddd22fdfe3132c25ad8071b9182e7bac3ba55e50a49
                                      • Instruction Fuzzy Hash: E601FB74A09108EFC704EFA9C684AADBBFAAB49311F55D198E4499B365DB30DE00DB40
                                      Function 08DE4F10 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38f807d0627a7f8d462815bafdcf8e8374407740c2d918e0452e97b6576b382e
                                      • Instruction ID: 7cd03b80f519cbff346ff79973c397cbe59a567919db5c395d5cc18492ce598e
                                      • Opcode Fuzzy Hash: 38f807d0627a7f8d462815bafdcf8e8374407740c2d918e0452e97b6576b382e
                                      • Instruction Fuzzy Hash: D60108B1D0020DAFDB40EFA9D9516AEBFB6FF44300F1085AAD015AB354EB341A05CF81
                                      Function 08DE1619 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 54366c16fe279f1e9bb6b731d767a6dcd07746faa22e959796574a9edba5f241
                                      • Instruction ID: bcc4b98b21434e267e55c01a96c5aee9543871c02075b483daf77bc155a423f2
                                      • Opcode Fuzzy Hash: 54366c16fe279f1e9bb6b731d767a6dcd07746faa22e959796574a9edba5f241
                                      • Instruction Fuzzy Hash: 4A01A232A1070ADFCF00AF78D8444D9BB76FF95305F118B2EE04567250EB759599CB90
                                      Function 08DECCAF Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c2a56f2501d7f60b47506f85a97ffa64bc0371dae9fb37743773d6874bd0a363
                                      • Instruction ID: b3d8a96e60f5a8ededc79a8689e7ecbc4bbfc8754962f3a4870325177ef26d15
                                      • Opcode Fuzzy Hash: c2a56f2501d7f60b47506f85a97ffa64bc0371dae9fb37743773d6874bd0a363
                                      • Instruction Fuzzy Hash: 8E017C34906218CFC725EF64E5449A8B77AFF4E312F104299E40EA7252CB32DE85CF10
                                      Function 08DE1620 Relevance: .0, Instructions: 39COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0cdbd05358aac3308aca97880ad4b1bc2c2815f3e1d09ef01a980ac40ae5624c
                                      • Instruction ID: e22617c7eddb2c8bd827641a422a0c1bb4a8a8b6300910eb40332ee4d02d3139
                                      • Opcode Fuzzy Hash: 0cdbd05358aac3308aca97880ad4b1bc2c2815f3e1d09ef01a980ac40ae5624c
                                      • Instruction Fuzzy Hash: 5801A232A1070A9BCF00AF65D8488CABB75FF85305F11872AE00527210EB70A599CB90
                                      Function 010ED744 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1376776996.00000000010ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 010ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_10ed000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db0d065177bf5356bef0bde5f06536012433c5c5957df02389ec45178c956efa
                                      • Instruction ID: 75504fd9571ab3aa7458e84f3d7c8799a4ba44615adad5b111417cf5445080ae
                                      • Opcode Fuzzy Hash: db0d065177bf5356bef0bde5f06536012433c5c5957df02389ec45178c956efa
                                      • Instruction Fuzzy Hash: 20F06271444384AEE7218F1AC888B66FFD8EF81734F18C45AED885A286D2799844CBB1
                                      Function 08DE3948 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 50a9b3b1deffbeea9ca03ee985a95e42c204dec76aa4e53c74f2e794259d6ac8
                                      • Instruction ID: c94ff64444179ac8bd64ea055b669887220bbc701616881349babc297fae4d26
                                      • Opcode Fuzzy Hash: 50a9b3b1deffbeea9ca03ee985a95e42c204dec76aa4e53c74f2e794259d6ac8
                                      • Instruction Fuzzy Hash: BCF030343105108FC744AB6DC88893973EAEFCDA51B1541BAE60ECB3B4CF60DC0287A0
                                      Function 08DEDEE0 Relevance: .0, Instructions: 32COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eb528c85c387b09b32a094ee1e83e319cb821bf3b269c4e0e994a57ae0d8f283
                                      • Instruction ID: 0ca449e1e72d027e4f159edab99e118b1dd70096826ceee32a31e2e1791d2fe1
                                      • Opcode Fuzzy Hash: eb528c85c387b09b32a094ee1e83e319cb821bf3b269c4e0e994a57ae0d8f283
                                      • Instruction Fuzzy Hash: 2F01F674D01109AFCB44EFA8D5849AEBBF5BB08301F108199E854E3341D734AA40CBA1
                                      Function 08DEC498 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f69e832e9560238f4fd38e95e2c899efce453f02faa9253a2ef123ed7ea414ad
                                      • Instruction ID: 9860588b048a27744cb38c3f75a1dd46f411795d09e6092e6cf4fda973b5a114
                                      • Opcode Fuzzy Hash: f69e832e9560238f4fd38e95e2c899efce453f02faa9253a2ef123ed7ea414ad
                                      • Instruction Fuzzy Hash: F0F06DB092438A8FDB14DFA9C405AAEBFF0BF19351F1046A9E451DB241D7348145CF80
                                      Function 08DEC4A8 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b0384e2c9b8ee6562d6f967b23859d44f9246206416524db58e45117ec25ad5f
                                      • Instruction ID: 0e9da5c296e475ed371ea91039cf0d1659809bf52ead766b113f0c2a8aa1046c
                                      • Opcode Fuzzy Hash: b0384e2c9b8ee6562d6f967b23859d44f9246206416524db58e45117ec25ad5f
                                      • Instruction Fuzzy Hash: C3F0DAB0D1420E9FDB44EFA9C846AAEBFF4AB48240F1046A9E919E7201D77095448F90
                                      Function 08DE37F0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fa7e25d431c496a2f5aaa80d935690727efc066424f9ec5e83534246418f8188
                                      • Instruction ID: e423a43d17183bf702771c2cdbcfb4f16d980fff3accb089c9138bf0035841a0
                                      • Opcode Fuzzy Hash: fa7e25d431c496a2f5aaa80d935690727efc066424f9ec5e83534246418f8188
                                      • Instruction Fuzzy Hash: 98E06D71B006114B871CEBABA49086AFADBEFC8650344C1AED44D8B7A4ED719C418B84
                                      Function 08DEC3E8 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a7eb067e6a668b4372539dfcd2dee0b908db1e44c2207de0e419bd79bfa226db
                                      • Instruction ID: 3bd1e5622410b4bfa9f315788fa35494b8c5498d358c93705b8a8224fa3925ad
                                      • Opcode Fuzzy Hash: a7eb067e6a668b4372539dfcd2dee0b908db1e44c2207de0e419bd79bfa226db
                                      • Instruction Fuzzy Hash: 3DF0A074850207DFC720DFA8C400A5ABFF0EF18356F2486A9E458D6661E7354041CB40
                                      Function 08DE77DE Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7adce6766ad8537d0695724e6d0ae7cf8b3994b08da48815b5b31081ac6b1fda
                                      • Instruction ID: 45f823b303b73428df3ee78629f1e673ff87da492b600f8a73001cd7c712afd6
                                      • Opcode Fuzzy Hash: 7adce6766ad8537d0695724e6d0ae7cf8b3994b08da48815b5b31081ac6b1fda
                                      • Instruction Fuzzy Hash: C5E06576600008AF9F48EF94E941E9E7BFAEF44255B14816AF408D7324E630D951C750
                                      Function 08DECA55 Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7454592eeec79e1deb4890bf1e6776df554f63db45388e6e57a1addec142fe33
                                      • Instruction ID: defd2b818ee8091464c9bff9f76b47d964818fb70119b8de9671ee2544b29550
                                      • Opcode Fuzzy Hash: 7454592eeec79e1deb4890bf1e6776df554f63db45388e6e57a1addec142fe33
                                      • Instruction Fuzzy Hash: 32F0E23590E2808FC701D7A4E8A9AA47F76EF47202F0A40FBD08D9F4A3C7798518CB21
                                      Function 08DECB45 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d344c2674af4a8f792fe92bd3fc2531e369db50af21e0d5c5dfed0b717b0fc9
                                      • Instruction ID: 67fd2a8ced18cc8d426ca22a1d23671b354578f49bcc6c779e5847665fbcf693
                                      • Opcode Fuzzy Hash: 1d344c2674af4a8f792fe92bd3fc2531e369db50af21e0d5c5dfed0b717b0fc9
                                      • Instruction Fuzzy Hash: 9FF06571509204CFC715AB64E5955A47739FF4F356F0011D6E44E9B127D7329945CF20
                                      Function 08DE09C0 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f3678e2c910916d5f296616ae3e0c49d0e1f43dcdbe21c8d29e306fa1ecec977
                                      • Instruction ID: 621e99b08f2b18a2ee9ec1df6903867c81470f299d1f339dd50daa337a8599b2
                                      • Opcode Fuzzy Hash: f3678e2c910916d5f296616ae3e0c49d0e1f43dcdbe21c8d29e306fa1ecec977
                                      • Instruction Fuzzy Hash: 77E02BB25062447F8702AB54DC00CC57FEDEE17D0030A8087F08CDB222D9279851C7E0
                                      Function 08DECAB6 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cae3397b54498c44e3ac7cdf7bbc7c0d3c19f1641df5c8f8e35edd4fc8f270ce
                                      • Instruction ID: 00bf9130dc8b2eccc7ffdcd81174da6e663138d54cc0ac5e3ef5bfd726823b72
                                      • Opcode Fuzzy Hash: cae3397b54498c44e3ac7cdf7bbc7c0d3c19f1641df5c8f8e35edd4fc8f270ce
                                      • Instruction Fuzzy Hash: 49F0F878A09228DFDB60DF64D895BA8BBB4BB19701F1091D6E48DA7341D7749EC0CF11
                                      Function 08DE37E0 Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2c76ba3add25c64fb32b54b50c631d39fd04bc566fa1116bb98fa4642f0e5a26
                                      • Instruction ID: baecbe6976e8c587d747d17ec932aa78138c66b1e9379f7f56c2f72c1e9c4e93
                                      • Opcode Fuzzy Hash: 2c76ba3add25c64fb32b54b50c631d39fd04bc566fa1116bb98fa4642f0e5a26
                                      • Instruction Fuzzy Hash: A3E0DFB1A047404F931A9B29C480466BBB3BFC4210304C2AFD0498BA68E9310D01CB84
                                      Function 08DE7448 Relevance: .0, Instructions: 21COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b2bca3ece15577d21e70bcf8c44044540afc2f609fc711d34567e224c0f905c9
                                      • Instruction ID: 5dbb3d7b43656478f02d83a3c09511d3e2d7780d3ba989cb54c25ebe5e678658
                                      • Opcode Fuzzy Hash: b2bca3ece15577d21e70bcf8c44044540afc2f609fc711d34567e224c0f905c9
                                      • Instruction Fuzzy Hash: 7EE06D34A00109DFEB40AFFCC94966E7BB1FB45301F200666E502E7741CA38C940C752
                                      Function 08DE3937 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 658d0905f27c78fb92b8a9c4a73bae7010c0ab4452fcb499c8bd294e17da4bfb
                                      • Instruction ID: 5cfc269498f88be8ff91a065ba3bbb612c898f84621538512e39a303013ae51b
                                      • Opcode Fuzzy Hash: 658d0905f27c78fb92b8a9c4a73bae7010c0ab4452fcb499c8bd294e17da4bfb
                                      • Instruction Fuzzy Hash: 73D05E36A1C3448FCA19FA96FC511EEBF62EE98066B04416AE54897252C62B140A8725
                                      Function 08DEC3F8 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c22edfbcd26b3a3c542521d160410d7d35095f23368ba951493054ec73700ec6
                                      • Instruction ID: c1266c7c32c38a07281b8c0d7736f86b14765806438b78eca655acbe6bb6dd2b
                                      • Opcode Fuzzy Hash: c22edfbcd26b3a3c542521d160410d7d35095f23368ba951493054ec73700ec6
                                      • Instruction Fuzzy Hash: BDE092B0D5020A9FD740EFB9C905A6EBBF4AB08600F1185A9D019E7211E7749A058F91
                                      Function 08DEAF41 Relevance: .0, Instructions: 16COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f402eb7c4efe51a3ebcc013b6c28f2e3e9e81ec66fee8635219f2f869688bc0b
                                      • Instruction ID: 2bd33eb7707ce023ceaf917d8bb1fcf3ce9e2a2f6028f7c85823171b1b1b0f09
                                      • Opcode Fuzzy Hash: f402eb7c4efe51a3ebcc013b6c28f2e3e9e81ec66fee8635219f2f869688bc0b
                                      • Instruction Fuzzy Hash: 4BD05E3004A343CFC3026BA0EC09268BFB46B16316F4401A6E48483593DB684456C765
                                      Function 08DEB30B Relevance: .0, Instructions: 14COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38f7e37b492b028fc3d4627982765366af304ded803b3e592cfd90d652386c29
                                      • Instruction ID: cef3a11ab10916f43c414ae94707faa393643b441e4a58478de69a38ec6d0f2c
                                      • Opcode Fuzzy Hash: 38f7e37b492b028fc3d4627982765366af304ded803b3e592cfd90d652386c29
                                      • Instruction Fuzzy Hash: 13D09E759452199FCB90EB54E9817EC7779EB85225F0052A1E00D92225DB301E9ACF11
                                      Function 08DEC548 Relevance: .0, Instructions: 14COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5d90c9cf1372fc477ad315d4e190e5d25da956bfc8a3803348d8feb8a1aa068c
                                      • Instruction ID: c31fa22efdb1d85ab7895b950b1c1b71369aea9a71b763f7242e22812734b78d
                                      • Opcode Fuzzy Hash: 5d90c9cf1372fc477ad315d4e190e5d25da956bfc8a3803348d8feb8a1aa068c
                                      • Instruction Fuzzy Hash: DAD0123612020D9E4B40FE99FC00C537FDDBB347517408522F508CB120EA21F434D791
                                      Function 08DE09D0 Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9c2c60772cc12243f4928a8b8a5b2b553d5826df92ef859b9922f0de317ba0d6
                                      • Instruction ID: f255fd340709b6aa6235f7ae64ae21fd5f5f3c61a705a942e376a6fb40236480
                                      • Opcode Fuzzy Hash: 9c2c60772cc12243f4928a8b8a5b2b553d5826df92ef859b9922f0de317ba0d6
                                      • Instruction Fuzzy Hash: 28C012361005187B4A01AB85D800C86BBADEF49654305C056F50C8B121D672E912D7E0
                                      Function 08DEAF50 Relevance: .0, Instructions: 10COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8ac9de59f6f6fef98e150bc8c48f8275c7a7937850e38ccdc1197fdfa149d366
                                      • Instruction ID: af84a129a1bffba86fb6a881ea8a781b6cae22a02ce14a0435db946ed7382300
                                      • Opcode Fuzzy Hash: 8ac9de59f6f6fef98e150bc8c48f8275c7a7937850e38ccdc1197fdfa149d366
                                      • Instruction Fuzzy Hash: 3DC08C300066058FC2043BA4F90E3387668670431AF400018B909430525FA80441C699
                                      Function 08DE5B24 Relevance: .0, Instructions: 8COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cc137bf870c02e5893a8fa93d99f16f2407549f86985017ad167c7731c093256
                                      • Instruction ID: de36f6a6f6b6d017039ed36fd8263c94dc604ec3e3ff64c8a48b5d33ff95d36c
                                      • Opcode Fuzzy Hash: cc137bf870c02e5893a8fa93d99f16f2407549f86985017ad167c7731c093256
                                      • Instruction Fuzzy Hash: 80B012391E7180A1D00136E459CCE2EA561EFF1786B808E12B78864018C4B08C64923B
                                      Function 08DECC1E Relevance: .0, Instructions: 7COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 438dd4d98261fa841cd82db75501495fb746c8bad630d5fcf154d7a535d0650f
                                      • Instruction ID: da3c3ec1ed1f1e2199bacdd2569a5d28b0132c929e3b65b8f16bc5b24127cf18
                                      • Opcode Fuzzy Hash: 438dd4d98261fa841cd82db75501495fb746c8bad630d5fcf154d7a535d0650f
                                      • Instruction Fuzzy Hash: 87C00274914299CFDB109F90D885B9D7B31AF45355F104185D40923254C77499D6CF64
                                      Function 08DE77B3 Relevance: .0, Instructions: 6COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dfa962a3340d0eda6526361c45239114f3c6600681f6d8e370b9620dd482e80c
                                      • Instruction ID: 870dab516bd382256d209577a798329217bbc78d4d5b4b81d55c3e91da03e106
                                      • Opcode Fuzzy Hash: dfa962a3340d0eda6526361c45239114f3c6600681f6d8e370b9620dd482e80c
                                      • Instruction Fuzzy Hash: 46A022EB3202800ABA083830AC02BC00A20CBF03CC3008002AB2838200CA80C0AAC03B

                                      Non-executed Functions

                                      Function 08DEF8F0 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3142eab096809de480015c83cd023c4a397d71406b9a5f893d5ef68ffdf3f32c
                                      • Instruction ID: 9fe5e2a33637d8e0e02275c619adf3d8933268f93e8f2887de9d2d3e93115601
                                      • Opcode Fuzzy Hash: 3142eab096809de480015c83cd023c4a397d71406b9a5f893d5ef68ffdf3f32c
                                      • Instruction Fuzzy Hash: 73E10C74E111198FCB14DF99C9909AEFBF2FF89305F248269E415AB355DB30A942CF60
                                      Function 08DEF4B8 Relevance: .3, Instructions: 312COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1401383878.0000000008DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08DE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_8de0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 71fa32ef7cfbaa3194ececa824cadfb76d7fd43922bd3b830bbb1b6253d97561
                                      • Instruction ID: 00694195b0c1daabacb9df11770b615f3ec9b697d7d80ceaaad6ae294c6823c5
                                      • Opcode Fuzzy Hash: 71fa32ef7cfbaa3194ececa824cadfb76d7fd43922bd3b830bbb1b6253d97561
                                      • Instruction Fuzzy Hash: A6E11C74E111199FCB14DFA9C5809AEFBF2FF88315F2482A9E414AB355DB31A942CF60
                                      Function 02B0D5BC Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1377814386.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d100789a8dd3d27ad9e6411fa36542162a63721aa4f6d9a2357ead82e4969ddc
                                      • Instruction ID: 454e6f4cabc3eb9762a3897a119b3d2fa6095b8129d31a6ff30284a9147a17fb
                                      • Opcode Fuzzy Hash: d100789a8dd3d27ad9e6411fa36542162a63721aa4f6d9a2357ead82e4969ddc
                                      • Instruction Fuzzy Hash: E9A15032F102058FCF16DFA4C9845AEBBB2FF85304B1585AAE805AB6A5DF31E955CF40

                                      Execution Graph

                                      Execution Coverage:10.8%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:3%
                                      Total number of Nodes:101
                                      Total number of Limit Nodes:15
                                      execution_graph 37978 6883858 DuplicateHandle 37979 68838ee 37978->37979 37980 1190848 37982 119084e 37980->37982 37981 119091b 37982->37981 37987 68824f8 37982->37987 37991 6882508 37982->37991 37995 119138b 37982->37995 37999 11914b3 37982->37999 37988 6882517 37987->37988 38004 6881c3c 37988->38004 37992 6882517 37991->37992 37993 6881c3c 2 API calls 37992->37993 37994 6882538 37993->37994 37994->37982 37996 1191396 37995->37996 37997 11914aa 37996->37997 38078 1198278 37996->38078 37997->37982 38000 11914b7 37999->38000 38002 1191396 37999->38002 38000->37982 38001 11914aa 38001->37982 38002->38001 38003 1198278 2 API calls 38002->38003 38003->38002 38005 6881c47 38004->38005 38008 68833ac 38005->38008 38007 6883ebe 38009 68833b7 38008->38009 38010 68845e4 38009->38010 38012 6885e68 38009->38012 38010->38007 38013 6885e89 38012->38013 38014 6885ead 38013->38014 38016 6886420 38013->38016 38014->38010 38017 688642d 38016->38017 38018 6886466 38017->38018 38020 688600c 38017->38020 38018->38014 38021 6886017 38020->38021 38022 68864d8 38021->38022 38024 6886040 38021->38024 38025 688604b 38024->38025 38031 6886050 38025->38031 38027 6886547 38035 688b880 38027->38035 38044 688b868 38027->38044 38028 6886581 38028->38022 38032 688605b 38031->38032 38033 68877d0 38032->38033 38034 6885e68 2 API calls 38032->38034 38033->38027 38034->38033 38037 688b8b1 38035->38037 38039 688b9b1 38035->38039 38036 688b8bd 38036->38028 38037->38036 38053 688bae8 38037->38053 38057 688baf8 38037->38057 38038 688b8fd 38060 688cdf8 38038->38060 38064 688cde9 38038->38064 38039->38028 38046 688b8b1 38044->38046 38048 688b9b1 38044->38048 38045 688b8bd 38045->38028 38046->38045 38051 688bae8 GetModuleHandleW 38046->38051 38052 688baf8 GetModuleHandleW 38046->38052 38047 688b8fd 38049 688cdf8 CreateWindowExW 38047->38049 38050 688cde9 CreateWindowExW 38047->38050 38048->38028 38049->38048 38050->38048 38051->38047 38052->38047 38054 688baf8 38053->38054 38068 688bb38 38054->38068 38055 688bb02 38055->38038 38059 688bb38 GetModuleHandleW 38057->38059 38058 688bb02 38058->38038 38059->38058 38061 688ce23 38060->38061 38062 688ced2 38061->38062 38073 688dce5 38061->38073 38065 688cdf8 38064->38065 38066 688ced2 38065->38066 38067 688dce5 CreateWindowExW 38065->38067 38067->38066 38069 688bb3d 38068->38069 38070 688bb7c 38069->38070 38071 688bd80 GetModuleHandleW 38069->38071 38070->38055 38072 688bdad 38071->38072 38072->38055 38074 688dce9 38073->38074 38075 688dd1d CreateWindowExW 38073->38075 38074->38062 38077 688de54 38075->38077 38079 1198282 38078->38079 38080 119829c 38079->38080 38083 68af62b 38079->38083 38087 68af638 38079->38087 38080->37996 38084 68af638 38083->38084 38085 68af862 38084->38085 38086 68afc80 GlobalMemoryStatusEx GlobalMemoryStatusEx 38084->38086 38085->38080 38086->38084 38089 68af64d 38087->38089 38088 68af862 38088->38080 38089->38088 38090 68afc80 GlobalMemoryStatusEx GlobalMemoryStatusEx 38089->38090 38090->38089 38091 6883610 38092 6883656 GetCurrentProcess 38091->38092 38094 68836a8 GetCurrentThread 38092->38094 38095 68836a1 38092->38095 38096 68836de 38094->38096 38097 68836e5 GetCurrentProcess 38094->38097 38095->38094 38096->38097 38100 688371b 38097->38100 38098 6883743 GetCurrentThreadId 38099 6883774 38098->38099 38100->38098 37975 11970b0 37976 11970f4 CheckRemoteDebuggerPresent 37975->37976 37977 1197136 37976->37977

                                      Executed Functions

                                      Function 068A3088 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 654 68a3088-68a30a9 655 68a30ab-68a30ae 654->655 656 68a384f-68a3852 655->656 657 68a30b4-68a30d3 655->657 658 68a3878-68a387a 656->658 659 68a3854-68a3873 656->659 666 68a30ec-68a30f6 657->666 667 68a30d5-68a30d8 657->667 661 68a387c 658->661 662 68a3881-68a3884 658->662 659->658 661->662 662->655 664 68a388a-68a3893 662->664 672 68a30fc-68a310b 666->672 667->666 669 68a30da-68a30ea 667->669 669->672 780 68a310d call 68a38a8 672->780 781 68a310d call 68a38a0 672->781 673 68a3112-68a3117 674 68a3119-68a311f 673->674 675 68a3124-68a3401 673->675 674->664 696 68a3841-68a384e 675->696 697 68a3407-68a34b6 675->697 706 68a34b8-68a34dd 697->706 707 68a34df 697->707 709 68a34e8-68a34fb 706->709 707->709 711 68a3828-68a3834 709->711 712 68a3501-68a3523 709->712 711->697 713 68a383a 711->713 712->711 715 68a3529-68a3533 712->715 713->696 715->711 716 68a3539-68a3544 715->716 716->711 717 68a354a-68a3620 716->717 729 68a362e-68a365e 717->729 730 68a3622-68a3624 717->730 734 68a366c-68a3678 729->734 735 68a3660-68a3662 729->735 730->729 736 68a367a-68a367e 734->736 737 68a36d8-68a36dc 734->737 735->734 736->737 740 68a3680-68a36aa 736->740 738 68a3819-68a3822 737->738 739 68a36e2-68a371e 737->739 738->711 738->717 750 68a372c-68a373a 739->750 751 68a3720-68a3722 739->751 747 68a36b8-68a36d5 740->747 748 68a36ac-68a36ae 740->748 747->737 748->747 754 68a373c-68a3747 750->754 755 68a3751-68a375c 750->755 751->750 754->755 758 68a3749 754->758 759 68a375e-68a3764 755->759 760 68a3774-68a3785 755->760 758->755 761 68a3768-68a376a 759->761 762 68a3766 759->762 764 68a379d-68a37a9 760->764 765 68a3787-68a378d 760->765 761->760 762->760 769 68a37ab-68a37b1 764->769 770 68a37c1-68a3812 764->770 766 68a378f 765->766 767 68a3791-68a3793 765->767 766->764 767->764 771 68a37b3 769->771 772 68a37b5-68a37b7 769->772 770->738 771->770 772->770 780->673 781->673
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq$$lq$$lq$$lq$$lq
                                      • API String ID: 0-1854859054
                                      • Opcode ID: 91769c2cecb1aadddbca4e42fd3820cd10415eeef71c1f5c95d6bf4b42d9d5b0
                                      • Instruction ID: 62028bc39e76e8d58808e389716f79388cc6e681483a4cd296f7907b8a9223a0
                                      • Opcode Fuzzy Hash: 91769c2cecb1aadddbca4e42fd3820cd10415eeef71c1f5c95d6bf4b42d9d5b0
                                      • Instruction Fuzzy Hash: D0321D31E1071ADFDB14EF75C89459DB7B6BF99300F20C6AAD449A7264EB30E985CB80
                                      Function 068A7D88 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1198 68a7d88-68a7da6 1199 68a7da8-68a7dab 1198->1199 1200 68a7dce-68a7dd1 1199->1200 1201 68a7dad-68a7dc9 1199->1201 1202 68a7de8-68a7deb 1200->1202 1203 68a7dd3-68a7de1 1200->1203 1201->1200 1204 68a7e0c-68a7e0f 1202->1204 1205 68a7ded-68a7e07 1202->1205 1210 68a7e2e-68a7e44 1203->1210 1211 68a7de3 1203->1211 1208 68a7e1c-68a7e1e 1204->1208 1209 68a7e11-68a7e1b 1204->1209 1205->1204 1213 68a7e20 1208->1213 1214 68a7e25-68a7e28 1208->1214 1218 68a7e4a-68a7e53 1210->1218 1219 68a805f-68a8069 1210->1219 1211->1202 1213->1214 1214->1199 1214->1210 1220 68a806a-68a809f 1218->1220 1221 68a7e59-68a7e76 1218->1221 1224 68a80a1-68a80a4 1220->1224 1230 68a804c-68a8059 1221->1230 1231 68a7e7c-68a7ea4 1221->1231 1226 68a80aa-68a80b9 1224->1226 1227 68a82d9-68a82dc 1224->1227 1239 68a80bb-68a80d6 1226->1239 1240 68a80d8-68a811c 1226->1240 1228 68a82de-68a82fa 1227->1228 1229 68a82ff-68a8302 1227->1229 1228->1229 1232 68a8308-68a8314 1229->1232 1233 68a83ad-68a83af 1229->1233 1230->1218 1230->1219 1231->1230 1255 68a7eaa-68a7eb3 1231->1255 1241 68a831f-68a8321 1232->1241 1236 68a83b1 1233->1236 1237 68a83b6-68a83b9 1233->1237 1236->1237 1237->1224 1242 68a83bf-68a83c8 1237->1242 1239->1240 1249 68a82ad-68a82c3 1240->1249 1250 68a8122-68a8133 1240->1250 1246 68a8339-68a833d 1241->1246 1247 68a8323-68a8329 1241->1247 1253 68a834b 1246->1253 1254 68a833f-68a8349 1246->1254 1251 68a832b 1247->1251 1252 68a832d-68a832f 1247->1252 1249->1227 1264 68a8298-68a82a7 1250->1264 1265 68a8139-68a8156 1250->1265 1251->1246 1252->1246 1258 68a8350-68a8352 1253->1258 1254->1258 1255->1220 1259 68a7eb9-68a7ed5 1255->1259 1260 68a8363-68a839c 1258->1260 1261 68a8354-68a8357 1258->1261 1268 68a803a-68a8046 1259->1268 1269 68a7edb-68a7f05 1259->1269 1260->1226 1281 68a83a2-68a83ac 1260->1281 1261->1242 1264->1249 1264->1250 1265->1264 1277 68a815c-68a8252 call 68a65a8 1265->1277 1268->1230 1268->1255 1282 68a7f0b-68a7f33 1269->1282 1283 68a8030-68a8035 1269->1283 1331 68a8260 1277->1331 1332 68a8254-68a825e 1277->1332 1282->1283 1290 68a7f39-68a7f67 1282->1290 1283->1268 1290->1283 1295 68a7f6d-68a7f76 1290->1295 1295->1283 1296 68a7f7c-68a7fae 1295->1296 1304 68a7fb9-68a7fd5 1296->1304 1305 68a7fb0-68a7fb4 1296->1305 1304->1268 1308 68a7fd7-68a802e call 68a65a8 1304->1308 1305->1283 1307 68a7fb6 1305->1307 1307->1304 1308->1268 1333 68a8265-68a8267 1331->1333 1332->1333 1333->1264 1334 68a8269-68a826e 1333->1334 1335 68a827c 1334->1335 1336 68a8270-68a827a 1334->1336 1337 68a8281-68a8283 1335->1337 1336->1337 1337->1264 1338 68a8285-68a8291 1337->1338 1338->1264
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq
                                      • API String ID: 0-4169330588
                                      • Opcode ID: 05c926a341ff0f293d81aab57a3dc4c095eaa81a3c4ae5d7516583628c34bf95
                                      • Instruction ID: 3254a1e3c180cbf80a739a33230d622e2c204036eb1fffdf41f0257fbbf38ae3
                                      • Opcode Fuzzy Hash: 05c926a341ff0f293d81aab57a3dc4c095eaa81a3c4ae5d7516583628c34bf95
                                      • Instruction Fuzzy Hash: A902AD70B002059FEB54DF64D9906AEB7E2FF84304F248929E905DB399DB76EC46CB90
                                      Function 068A51C0 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $
                                      • API String ID: 0-3993045852
                                      • Opcode ID: 2d65d0ab9233c9294708a76720ecad460efc39553041d40bb8850f19a3cf56bb
                                      • Instruction ID: 67edbe1e7f446514e3f75935120fdc229dce740a90a651b72b6638be180bce1c
                                      • Opcode Fuzzy Hash: 2d65d0ab9233c9294708a76720ecad460efc39553041d40bb8850f19a3cf56bb
                                      • Instruction Fuzzy Hash: AD22A171E003159FEB60DFA4C5806AEBBB2FF85310F248469E946EB354DA35DD81CB91
                                      Function 011970B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01197127
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2616633159.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1190000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: CheckDebuggerPresentRemote
                                      • String ID:
                                      • API String ID: 3662101638-0
                                      • Opcode ID: d0c9b416947b32aedeb80bc975b145eb5714f945251a42cd13e13063b1faf386
                                      • Instruction ID: 48c7ec77b565204ca441c006cb578791cf388670baae47985fecd730f792b466
                                      • Opcode Fuzzy Hash: d0c9b416947b32aedeb80bc975b145eb5714f945251a42cd13e13063b1faf386
                                      • Instruction Fuzzy Hash: 742145B18002598FCB14CFAAD884BEEFBF4AF48310F14842AE459B3250D378A944CFA0
                                      Function 068A65F8 Relevance: .8, Instructions: 814COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2b44f9b374f0b170c853c326403af9a22e32e8276dab1dc7d437cca3b525ef6e
                                      • Instruction ID: c571e5b5a2ed8ac2c50cf9e8224c6653ce52e412573f7851940d272beb56d0f1
                                      • Opcode Fuzzy Hash: 2b44f9b374f0b170c853c326403af9a22e32e8276dab1dc7d437cca3b525ef6e
                                      • Instruction Fuzzy Hash: B9629034A003058FEB54DB68D554BADB7F2EF84314F188569E906DB398EB35ED86CB80
                                      Function 068AC188 Relevance: .6, Instructions: 640COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0686d9b751455d2f494cebbafe7e31b4cd53878655b2c74a6b574e9f567dc091
                                      • Instruction ID: 9b7a33c43b65b6de37a9a46fd2707b56ed73bf9aba4c334ba983a3e7a2e82673
                                      • Opcode Fuzzy Hash: 0686d9b751455d2f494cebbafe7e31b4cd53878655b2c74a6b574e9f567dc091
                                      • Instruction Fuzzy Hash: A7327034B002099FEB54DF68D990BADB7B6FB89314F108529E905EB399DB34EC45CB90
                                      Function 068AB2A7 Relevance: .6, Instructions: 607COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 97ada4efabb63b305cf828856374d0637ffc3506af3b30f01761fd17a165b8af
                                      • Instruction ID: 8a0b689e86ae8e605e0ad1fb1daa327c1b20ef2e835004c61688bcb1eaec31f4
                                      • Opcode Fuzzy Hash: 97ada4efabb63b305cf828856374d0637ffc3506af3b30f01761fd17a165b8af
                                      • Instruction Fuzzy Hash: 50229370E003099FEF64DB68D5807AEB7B2FB45310F24892AE955DB395DA34DC81CB91
                                      Function 068AACD0 Relevance: 10.4, Strings: 8, Instructions: 398COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 528 68aacd0-68aacee 529 68aacf0-68aacf3 528->529 530 68aad16-68aad19 529->530 531 68aacf5-68aad11 529->531 532 68aad1b-68aad24 530->532 533 68aad33-68aad36 530->533 531->530 537 68aad2a-68aad2e 532->537 538 68aaf07-68aaf3e 532->538 534 68aad38-68aad3d 533->534 535 68aad40-68aad43 533->535 534->535 539 68aad5d-68aad60 535->539 540 68aad45-68aad58 535->540 537->533 555 68aaf40-68aaf43 538->555 542 68aad62-68aad6f 539->542 543 68aad74-68aad77 539->543 540->539 542->543 547 68aad79-68aad82 543->547 548 68aad87-68aad8a 543->548 547->548 551 68aad9b-68aad9e 548->551 552 68aad8c-68aad90 548->552 553 68aaeed-68aaef6 551->553 554 68aada4-68aada6 551->554 556 68aaefc-68aaf06 552->556 557 68aad96 552->557 553->532 553->556 558 68aada8 554->558 559 68aadad-68aadb0 554->559 560 68aaf50-68aaf53 555->560 561 68aaf45-68aaf4f 555->561 557->551 558->559 559->529 562 68aadb6-68aadda 559->562 563 68aaf60-68aaf63 560->563 564 68aaf55-68aaf59 560->564 582 68aaeea 562->582 583 68aade0-68aadef 562->583 566 68aaf69-68aafa4 563->566 567 68ab1cc-68ab1cf 563->567 565 68aaf5b 564->565 564->566 565->563 574 68aafaa-68aafb6 566->574 575 68ab197-68ab1aa 566->575 569 68ab1de-68ab1e1 567->569 570 68ab1d1 call 68ab2a7 567->570 572 68ab1e3-68ab1ff 569->572 573 68ab204-68ab206 569->573 579 68ab1d7-68ab1d9 570->579 572->573 576 68ab208 573->576 577 68ab20d-68ab210 573->577 586 68aafb8-68aafd1 574->586 587 68aafd6-68ab01a 574->587 581 68ab1ac 575->581 576->577 577->555 580 68ab216-68ab220 577->580 579->569 581->567 582->553 590 68aadf1-68aadf7 583->590 591 68aae07-68aae42 call 68a65a8 583->591 586->581 604 68ab01c-68ab02e 587->604 605 68ab036-68ab075 587->605 593 68aadfb-68aadfd 590->593 594 68aadf9 590->594 607 68aae5a-68aae71 591->607 608 68aae44-68aae4a 591->608 593->591 594->591 604->605 613 68ab07b-68ab156 call 68a65a8 605->613 614 68ab15c-68ab171 605->614 621 68aae89-68aae9a 607->621 622 68aae73-68aae79 607->622 611 68aae4e-68aae50 608->611 612 68aae4c 608->612 611->607 612->607 613->614 614->575 627 68aae9c-68aaea2 621->627 628 68aaeb2-68aaee3 621->628 623 68aae7b 622->623 624 68aae7d-68aae7f 622->624 623->621 624->621 630 68aaea6-68aaea8 627->630 631 68aaea4 627->631 628->582 630->628 631->628
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq$$lq$$lq$$lq$$lq$$lq$$lq
                                      • API String ID: 0-2898588307
                                      • Opcode ID: 6707005ff4e08fe07063efde058d78f10524ea928a844b5769676d2a308fdada
                                      • Instruction ID: f0e24ac412e9fdff0e69b87d3c6f3fad4cc67d065a42b35b18b13b9cb485e514
                                      • Opcode Fuzzy Hash: 6707005ff4e08fe07063efde058d78f10524ea928a844b5769676d2a308fdada
                                      • Instruction Fuzzy Hash: 3BE16E30E1030A9FEB69DF64D5806AEB7B6FF85304F208529E905DB358DB75D846CB80
                                      Function 0688360A Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 782 688360a-688369f GetCurrentProcess 786 68836a8-68836dc GetCurrentThread 782->786 787 68836a1-68836a7 782->787 788 68836de-68836e4 786->788 789 68836e5-6883719 GetCurrentProcess 786->789 787->786 788->789 791 688371b-6883721 789->791 792 6883722-688373d call 68837e0 789->792 791->792 795 6883743-6883772 GetCurrentThreadId 792->795 796 688377b-68837dd 795->796 797 6883774-688377a 795->797 797->796
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 0688368E
                                      • GetCurrentThread.KERNEL32 ref: 068836CB
                                      • GetCurrentProcess.KERNEL32 ref: 06883708
                                      • GetCurrentThreadId.KERNEL32 ref: 06883761
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623557392.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6880000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: a8bd2dac3bca8ac6fb6caae2f3bc1cecb8153609a2bacac595c2c87daacc29d9
                                      • Instruction ID: cb92de525cdb81e2713c65985f2ed3692ca4681913f6f28f8d3023aed5538420
                                      • Opcode Fuzzy Hash: a8bd2dac3bca8ac6fb6caae2f3bc1cecb8153609a2bacac595c2c87daacc29d9
                                      • Instruction Fuzzy Hash: 955155B09002499FDB94DFA9D948BDEBBF1EF48304F288459E119B7360D734A948CF65
                                      Function 06883610 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 804 6883610-688369f GetCurrentProcess 808 68836a8-68836dc GetCurrentThread 804->808 809 68836a1-68836a7 804->809 810 68836de-68836e4 808->810 811 68836e5-6883719 GetCurrentProcess 808->811 809->808 810->811 813 688371b-6883721 811->813 814 6883722-688373d call 68837e0 811->814 813->814 817 6883743-6883772 GetCurrentThreadId 814->817 818 688377b-68837dd 817->818 819 6883774-688377a 817->819 819->818
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 0688368E
                                      • GetCurrentThread.KERNEL32 ref: 068836CB
                                      • GetCurrentProcess.KERNEL32 ref: 06883708
                                      • GetCurrentThreadId.KERNEL32 ref: 06883761
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623557392.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6880000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 93ee8cab436ff43b356cfaf1987afffd5e1c453b2a289b4c108ffbad30f77729
                                      • Instruction ID: 1577a6970e47c0d45e354b826ce32ab3d7030ccdaa8f619af8a4081e86eb3ac3
                                      • Opcode Fuzzy Hash: 93ee8cab436ff43b356cfaf1987afffd5e1c453b2a289b4c108ffbad30f77729
                                      • Instruction Fuzzy Hash: 735157B09002499FDB94DFA9D948B9EBBF1EF88304F28C059E119B7360D774A948CF65
                                      Function 068A9158 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 826 68a9158-68a917d 827 68a917f-68a9182 826->827 828 68a91a8-68a91ab 827->828 829 68a9184-68a91a3 827->829 830 68a9a6b-68a9a6d 828->830 831 68a91b1-68a91c6 828->831 829->828 833 68a9a6f 830->833 834 68a9a74-68a9a77 830->834 838 68a91c8-68a91ce 831->838 839 68a91de-68a91f4 831->839 833->834 834->827 836 68a9a7d-68a9a87 834->836 840 68a91d2-68a91d4 838->840 841 68a91d0 838->841 843 68a91ff-68a9201 839->843 840->839 841->839 844 68a9219-68a928a 843->844 845 68a9203-68a9209 843->845 856 68a928c-68a92af 844->856 857 68a92b6-68a92d2 844->857 846 68a920b 845->846 847 68a920d-68a920f 845->847 846->844 847->844 856->857 862 68a92fe-68a9319 857->862 863 68a92d4-68a92f7 857->863 868 68a931b-68a933d 862->868 869 68a9344-68a935f 862->869 863->862 868->869 874 68a938a-68a9394 869->874 875 68a9361-68a9383 869->875 876 68a9396-68a939f 874->876 877 68a93a4-68a941e 874->877 875->874 876->836 883 68a946b-68a9480 877->883 884 68a9420-68a943e 877->884 883->830 888 68a945a-68a9469 884->888 889 68a9440-68a944f 884->889 888->883 888->884 889->888
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq$$lq$$lq
                                      • API String ID: 0-195311763
                                      • Opcode ID: bd34c52105cf5ac21ba62e585252a4ac46c47a09fb41c3312e22e3d4ffa9f446
                                      • Instruction ID: 719d6d7ae5c7551fa7a2117ec447181a9938e6d2fcb67a9aead891747d4c35c8
                                      • Opcode Fuzzy Hash: bd34c52105cf5ac21ba62e585252a4ac46c47a09fb41c3312e22e3d4ffa9f446
                                      • Instruction Fuzzy Hash: E7915E30F1061A8FDF64DF64D9507AEB7F6EFC8200F108569D909EB358EA719D428B91
                                      Function 068ACF48 Relevance: 4.5, Strings: 3, Instructions: 798COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 892 68acf48-68acf63 893 68acf65-68acf68 892->893 894 68acf6a-68acfac 893->894 895 68acfb1-68acfb4 893->895 894->895 896 68acfc3-68acfc6 895->896 897 68acfb6-68acfb8 895->897 900 68acfc8-68ad00a 896->900 901 68ad00f-68ad012 896->901 898 68acfbe 897->898 899 68ad2ef-68ad2f8 897->899 898->896 903 68ad2fa-68ad2ff 899->903 904 68ad307-68ad313 899->904 900->901 905 68ad05b-68ad05e 901->905 906 68ad014-68ad023 901->906 903->904 908 68ad319-68ad32d 904->908 909 68ad424-68ad429 904->909 913 68ad060-68ad0a2 905->913 914 68ad0a7-68ad0aa 905->914 910 68ad032-68ad03e 906->910 911 68ad025-68ad02a 906->911 926 68ad431 908->926 927 68ad333-68ad345 908->927 909->926 915 68ad044-68ad056 910->915 916 68ad965-68ad99e 910->916 911->910 913->914 917 68ad0ac-68ad0ee 914->917 918 68ad0f3-68ad0f6 914->918 915->905 933 68ad9a0-68ad9a3 916->933 917->918 922 68ad0f8-68ad10e 918->922 923 68ad113-68ad116 918->923 922->923 928 68ad118-68ad11d 923->928 929 68ad120-68ad123 923->929 938 68ad434-68ad440 926->938 955 68ad369-68ad36b 927->955 956 68ad347-68ad34d 927->956 928->929 929->938 939 68ad129-68ad12c 929->939 942 68ad9b2-68ad9b5 933->942 943 68ad9a5 call 68adabd 933->943 938->906 945 68ad446-68ad733 938->945 940 68ad12e-68ad170 939->940 941 68ad175-68ad178 939->941 940->941 953 68ad17a-68ad1bc 941->953 954 68ad1c1-68ad1c4 941->954 948 68ad9e8-68ad9eb 942->948 949 68ad9b7-68ad9e3 942->949 958 68ad9ab-68ad9ad 943->958 1105 68ad95a-68ad964 945->1105 1106 68ad739-68ad73f 945->1106 960 68ada0e-68ada10 948->960 961 68ad9ed-68ada09 948->961 949->948 953->954 966 68ad20d-68ad210 954->966 967 68ad1c6-68ad208 954->967 959 68ad375-68ad381 955->959 962 68ad34f 956->962 963 68ad351-68ad35d 956->963 958->942 994 68ad38f 959->994 995 68ad383-68ad38d 959->995 971 68ada12 960->971 972 68ada17-68ada1a 960->972 961->960 974 68ad35f-68ad367 962->974 963->974 968 68ad212-68ad22e 966->968 969 68ad233-68ad236 966->969 967->966 968->969 978 68ad238-68ad247 969->978 979 68ad27f-68ad282 969->979 971->972 972->933 980 68ada1c-68ada2b 972->980 974->959 988 68ad249-68ad24e 978->988 989 68ad256-68ad262 978->989 992 68ad291-68ad294 979->992 993 68ad284-68ad286 979->993 1010 68ada2d-68ada90 call 68a65a8 980->1010 1011 68ada92-68adaa7 980->1011 988->989 989->916 999 68ad268-68ad27a 989->999 1003 68ad2dd-68ad2df 992->1003 1004 68ad296-68ad2d8 992->1004 993->926 1001 68ad28c 993->1001 997 68ad394-68ad396 994->997 995->997 997->926 1013 68ad39c-68ad3b8 call 68a65a8 997->1013 999->979 1001->992 1007 68ad2e1 1003->1007 1008 68ad2e6-68ad2e9 1003->1008 1004->1003 1007->1008 1008->893 1008->899 1010->1011 1024 68adaa8 1011->1024 1036 68ad3ba-68ad3bf 1013->1036 1037 68ad3c7-68ad3d3 1013->1037 1024->1024 1036->1037 1037->909 1039 68ad3d5-68ad422 1037->1039 1039->926 1107 68ad74e-68ad757 1106->1107 1108 68ad741-68ad746 1106->1108 1107->916 1109 68ad75d-68ad770 1107->1109 1108->1107 1111 68ad94a-68ad954 1109->1111 1112 68ad776-68ad77c 1109->1112 1111->1105 1111->1106 1113 68ad78b-68ad794 1112->1113 1114 68ad77e-68ad783 1112->1114 1113->916 1115 68ad79a-68ad7bb 1113->1115 1114->1113 1118 68ad7ca-68ad7d3 1115->1118 1119 68ad7bd-68ad7c2 1115->1119 1118->916 1120 68ad7d9-68ad7f6 1118->1120 1119->1118 1120->1111 1123 68ad7fc-68ad802 1120->1123 1123->916 1124 68ad808-68ad821 1123->1124 1126 68ad93d-68ad944 1124->1126 1127 68ad827-68ad84e 1124->1127 1126->1111 1126->1123 1127->916 1130 68ad854-68ad85e 1127->1130 1130->916 1131 68ad864-68ad87b 1130->1131 1133 68ad88a-68ad8a5 1131->1133 1134 68ad87d-68ad888 1131->1134 1133->1126 1139 68ad8ab-68ad8c4 call 68a65a8 1133->1139 1134->1133 1143 68ad8d3-68ad8dc 1139->1143 1144 68ad8c6-68ad8cb 1139->1144 1143->916 1145 68ad8e2-68ad936 1143->1145 1144->1143 1145->1126
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq$$lq
                                      • API String ID: 0-2860745148
                                      • Opcode ID: 822c567d8121511896e5b0cb1588be8030b83b8e99bb2fcbdb9c161b891f8683
                                      • Instruction ID: af521dcf3f6b27f95c15bbef0470707cbb8377266ff511b66c3539c49e2d87f9
                                      • Opcode Fuzzy Hash: 822c567d8121511896e5b0cb1588be8030b83b8e99bb2fcbdb9c161b891f8683
                                      • Instruction Fuzzy Hash: 4B622F30A002068FDB55EF68D690A5EB7B2FF85304F208A68D505DB76DEB75ED46CB80
                                      Function 068A4788 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1153 68a4788-68a47ac 1154 68a47ae-68a47b1 1153->1154 1155 68a4e90-68a4e93 1154->1155 1156 68a47b7-68a48af 1154->1156 1157 68a4eb4-68a4eb6 1155->1157 1158 68a4e95-68a4eaf 1155->1158 1176 68a4932-68a4939 1156->1176 1177 68a48b5-68a48ed 1156->1177 1160 68a4eb8 1157->1160 1161 68a4ebd-68a4ec0 1157->1161 1158->1157 1160->1161 1161->1154 1163 68a4ec6-68a4ed3 1161->1163 1178 68a493f-68a49af 1176->1178 1179 68a49bd-68a49c6 1176->1179 1188 68a48f5-68a4924 1177->1188 1196 68a49ba 1178->1196 1197 68a49b1 1178->1197 1179->1163 1194 68a492f 1188->1194 1195 68a4926 1188->1195 1194->1176 1195->1194 1196->1179 1197->1196
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: fqq$XPqq$\Oqq
                                      • API String ID: 0-3180005619
                                      • Opcode ID: f764c62230df0e8e6116d55a3e7fa92a11e0eb16dfdc0defd43e797f59808b8c
                                      • Instruction ID: c397340ad51ee6f982689d7ba9666bcf3b25e83a51e531ae89aa301a76ec44b8
                                      • Opcode Fuzzy Hash: f764c62230df0e8e6116d55a3e7fa92a11e0eb16dfdc0defd43e797f59808b8c
                                      • Instruction Fuzzy Hash: 41617471F002089FEF54DBA5C915BAEBAF6EF88300F208429E506EB395DFB54D459B90
                                      Function 068AA3A8 Relevance: 2.7, Strings: 2, Instructions: 248COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2014 68aa3a8-68aa3ad 2015 68aa3af-68aa3b1 2014->2015 2016 68aa331 2014->2016 2017 68aa335-68aa340 2015->2017 2018 68aa3b3-68aa3d8 2015->2018 2016->2017 2025 68aa345-68aa348 2017->2025 2019 68aa3da-68aa3dd 2018->2019 2021 68aa3df-68aa3fb 2019->2021 2022 68aa400-68aa403 2019->2022 2021->2022 2023 68aa410-68aa413 2022->2023 2024 68aa405-68aa40f 2022->2024 2026 68aa419-68aa4b2 call 68a2068 2023->2026 2027 68aa4bf-68aa4c2 2023->2027 2028 68aa36a-68aa36d 2025->2028 2029 68aa34a 2025->2029 2039 68aa4eb-68aa518 call 68a2068 2026->2039 2073 68aa4b4-68aa4be 2026->2073 2033 68aa4e2-68aa4e5 2027->2033 2034 68aa4c4-68aa4dd 2027->2034 2031 68aa38f-68aa391 2028->2031 2032 68aa36f-68aa38a 2028->2032 2041 68aa356-68aa365 2029->2041 2036 68aa398-68aa39b 2031->2036 2037 68aa393 2031->2037 2032->2031 2033->2039 2040 68aa616-68aa619 2033->2040 2034->2033 2044 68aa39d-68aa3a1 2036->2044 2045 68aa320-68aa323 2036->2045 2037->2036 2068 68aa60b-68aa615 2039->2068 2069 68aa51e-68aa543 2039->2069 2046 68aa61b-68aa629 2040->2046 2047 68aa634-68aa636 2040->2047 2041->2028 2045->2025 2053 68aa325-68aa32f 2045->2053 2046->2026 2060 68aa62f 2046->2060 2050 68aa638 2047->2050 2051 68aa63d-68aa640 2047->2051 2050->2051 2051->2019 2054 68aa646-68aa64f 2051->2054 2053->2016 2060->2047 2075 68aa54d 2069->2075 2076 68aa545-68aa54b 2069->2076 2077 68aa553-68aa605 call 68a65a8 call 68a2068 2075->2077 2076->2077 2077->2068 2077->2069
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: X!@$x!@
                                      • API String ID: 0-2527372166
                                      • Opcode ID: a785ac8000a1b4a0ded9855e2cda783ebd74aaf430ea2b71d0b76f7ff5d590c9
                                      • Instruction ID: b5200fc8ead7884577837170bbd6279f4555285f83c07b3f4038667f4dd4fd3a
                                      • Opcode Fuzzy Hash: a785ac8000a1b4a0ded9855e2cda783ebd74aaf430ea2b71d0b76f7ff5d590c9
                                      • Instruction Fuzzy Hash: E281C331B002099FDF64DB68D9906ADB7B6FF88310F108429E906E7758DB35DD46CB80
                                      Function 068A914B Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2096 68a914b-68a917d 2098 68a917f-68a9182 2096->2098 2099 68a91a8-68a91ab 2098->2099 2100 68a9184-68a91a3 2098->2100 2101 68a9a6b-68a9a6d 2099->2101 2102 68a91b1-68a91c6 2099->2102 2100->2099 2104 68a9a6f 2101->2104 2105 68a9a74-68a9a77 2101->2105 2109 68a91c8-68a91ce 2102->2109 2110 68a91de-68a91f4 2102->2110 2104->2105 2105->2098 2107 68a9a7d-68a9a87 2105->2107 2111 68a91d2-68a91d4 2109->2111 2112 68a91d0 2109->2112 2114 68a91ff-68a9201 2110->2114 2111->2110 2112->2110 2115 68a9219-68a928a 2114->2115 2116 68a9203-68a9209 2114->2116 2127 68a928c-68a92af 2115->2127 2128 68a92b6-68a92d2 2115->2128 2117 68a920b 2116->2117 2118 68a920d-68a920f 2116->2118 2117->2115 2118->2115 2127->2128 2133 68a92fe-68a9319 2128->2133 2134 68a92d4-68a92f7 2128->2134 2139 68a931b-68a933d 2133->2139 2140 68a9344-68a935f 2133->2140 2134->2133 2139->2140 2145 68a938a-68a9394 2140->2145 2146 68a9361-68a9383 2140->2146 2147 68a9396-68a939f 2145->2147 2148 68a93a4-68a941e 2145->2148 2146->2145 2147->2107 2154 68a946b-68a9480 2148->2154 2155 68a9420-68a943e 2148->2155 2154->2101 2159 68a945a-68a9469 2155->2159 2160 68a9440-68a944f 2155->2160 2159->2154 2159->2155 2160->2159
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq
                                      • API String ID: 0-4169330588
                                      • Opcode ID: 6deff2592bb98bb314d5b8eec92a05699eedd09a0be49fa1cd107b53ec0c73d8
                                      • Instruction ID: 81dc7b4a3732e7488fc42047b643bc100d7da7fa05b64b22253f1e764461157c
                                      • Opcode Fuzzy Hash: 6deff2592bb98bb314d5b8eec92a05699eedd09a0be49fa1cd107b53ec0c73d8
                                      • Instruction Fuzzy Hash: 50518230F102069FDF54DB78D99076EB7F6EBC8250F108569D909D7398EA71DD028B91
                                      Function 0688BB38 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0688BD9E
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623557392.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6880000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 93698416ecbddf0666b233664fcb525a16e0cf44ce62cb21006e4f0d02581e6f
                                      • Instruction ID: 609115c0b6d2088d17aa38720bc2801e856542163e59f440ed20a9accb1450b7
                                      • Opcode Fuzzy Hash: 93698416ecbddf0666b233664fcb525a16e0cf44ce62cb21006e4f0d02581e6f
                                      • Instruction Fuzzy Hash: DD815670A00B059FDBA4EF29D44176ABBF1FF88304F00892EE54AD7A51DB35E845CB91
                                      Function 0688DCE5 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0688DE42
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623557392.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6880000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 76577bbeb84a1027938143aff37b12a97b473aa79141f5b98b7fb2420021f974
                                      • Instruction ID: 74eedc2212ca7ff32897579b4ddb41eb31492cbe1b98a78ae36223564759e531
                                      • Opcode Fuzzy Hash: 76577bbeb84a1027938143aff37b12a97b473aa79141f5b98b7fb2420021f974
                                      • Instruction Fuzzy Hash: A451E0B1D00249EFDF15DFA9C984ADEBFB6BF48300F15816AE918AB260D7719845CF90
                                      Function 0688DD24 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0688DE42
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623557392.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6880000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 42e4db9c5c52292427efef569c2638fa5485818368fb43a8840c22aaf26b317c
                                      • Instruction ID: a567b6921b74bda159b4959b519c80dbd2ac9915d8275cdfd5fd23cd580bac72
                                      • Opcode Fuzzy Hash: 42e4db9c5c52292427efef569c2638fa5485818368fb43a8840c22aaf26b317c
                                      • Instruction Fuzzy Hash: 6451DFB1D10349AFDB54DFA9C984ADEFBB5BF48310F24812AE819AB250D7719845CF90
                                      Function 0688DD30 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0688DE42
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623557392.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6880000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: CreateWindow
                                      • String ID:
                                      • API String ID: 716092398-0
                                      • Opcode ID: 38683a4cb623cd50bf200b91586f34a820876b2c36568c1dc1a6b401bbfc00d2
                                      • Instruction ID: 8dbd9d27f11cb581e7c299cc0f72cd7d1da11e720bba9649989a4201c7537f5f
                                      • Opcode Fuzzy Hash: 38683a4cb623cd50bf200b91586f34a820876b2c36568c1dc1a6b401bbfc00d2
                                      • Instruction Fuzzy Hash: 0041CEB1D10349DFDB54DFA9C984ADEFBB5BF88310F24812AE818AB250D775A845CF90
                                      Function 011970AB Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                      Download Yara Rule
                                      APIs
                                      • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01197127
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2616633159.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1190000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: CheckDebuggerPresentRemote
                                      • String ID:
                                      • API String ID: 3662101638-0
                                      • Opcode ID: c6968b5cbf8fb8f3db2894015c5c38365b2d43ebab530567b4eea095ad742ab7
                                      • Instruction ID: 6e41baa0fb7c999520af1cee5ed2a50edbbeea3858c5a0a0dca8253f0db9b5b3
                                      • Opcode Fuzzy Hash: c6968b5cbf8fb8f3db2894015c5c38365b2d43ebab530567b4eea095ad742ab7
                                      • Instruction Fuzzy Hash: 5A2134B18002598FCB14CFAAD884BEEBBF4AF49310F14846AE459B7250C778A945CFA0
                                      Function 06883850 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068838DF
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623557392.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6880000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: c419acb657c31df5ee1f0d8e6b32e72d49a22b92d69231037b23e9bceba4bb53
                                      • Instruction ID: e4b302c43fc5e1f8b251929ae7abafc8ae9948d3ac2968e1245165bdd8e342f2
                                      • Opcode Fuzzy Hash: c419acb657c31df5ee1f0d8e6b32e72d49a22b92d69231037b23e9bceba4bb53
                                      • Instruction Fuzzy Hash: 6E21E5B5D002499FDB50DFA9D984ADEBBF4FF48310F14841AE954A3310D375A944CFA1
                                      Function 06883858 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068838DF
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623557392.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6880000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: f59bdb5f907b54d9be8cc765d176487a5cd51f86215d3e0834e9e942bf080528
                                      • Instruction ID: 20ba6c9f45ea66ba3231fecdc8e1f0c719ed2ab952803c501793e55ba918b0d9
                                      • Opcode Fuzzy Hash: f59bdb5f907b54d9be8cc765d176487a5cd51f86215d3e0834e9e942bf080528
                                      • Instruction Fuzzy Hash: B721C4B5D002499FDB50DFAAD984ADEBBF4FF48310F14841AE918A3350D375A944CFA5
                                      Function 0119F2F7 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNELBASE ref: 0119F377
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2616633159.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1190000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: e9a2c05caa452208f722e8c770535e197d1c009436619fd6ad4242aaab883a16
                                      • Instruction ID: 76eefbb8b1b2db65321d9f83d5df0c6b35703c1f364d5585f8acc34e02edf7d4
                                      • Opcode Fuzzy Hash: e9a2c05caa452208f722e8c770535e197d1c009436619fd6ad4242aaab883a16
                                      • Instruction Fuzzy Hash: DD2144B1C0025A9FCB14CFAAD544BDEFBF4AF08310F11856AD918B7250D378AA45CFA1
                                      Function 0119F310 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNELBASE ref: 0119F377
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2616633159.0000000001190000.00000040.00000800.00020000.00000000.sdmp, Offset: 01190000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_1190000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: 48ecbf413c02acfd8b58207b5923ae234ae24b07ae97ae3e0a9590a281682adc
                                      • Instruction ID: 724808b4bce2f32d90649990767c7b29d2566bb0736985d695d12b3f24d428ef
                                      • Opcode Fuzzy Hash: 48ecbf413c02acfd8b58207b5923ae234ae24b07ae97ae3e0a9590a281682adc
                                      • Instruction Fuzzy Hash: 8E1120B1C0025A9BCB10DFAAC544BDEFBF4AF48320F11812AD818B7240D378AA44CFA1
                                      Function 0688BD38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0688BD9E
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623557392.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_6880000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 1ef5e3d5cc73b8144688ce22f7df621891ee14147b9d32352100054b6100e4f1
                                      • Instruction ID: 332b03d0cca7fad9981d0596753d4448fb9fd50e9de81424f8cfc812281a8792
                                      • Opcode Fuzzy Hash: 1ef5e3d5cc73b8144688ce22f7df621891ee14147b9d32352100054b6100e4f1
                                      • Instruction Fuzzy Hash: 7F11E0B6C002499FCB60DF9AD944ADEFBF4EF88314F11841AD919B7210D379A545CFA1
                                      Function 068A4778 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: XPqq
                                      • API String ID: 0-1382539260
                                      • Opcode ID: e9e291c89ad1b516de8276e2e5a772c5d9ceb2cb60a409371e236b9a4cf0ec33
                                      • Instruction ID: cbb7b05fdf74958433f064f1da70f7ee37bda221c6b9f8e4fadb32011b8eca8c
                                      • Opcode Fuzzy Hash: e9e291c89ad1b516de8276e2e5a772c5d9ceb2cb60a409371e236b9a4cf0ec33
                                      • Instruction Fuzzy Hash: D7418071F002089FEB54DFA5C914BAEBBF6EF89300F208529E505EB3A5DA748D018B90
                                      Function 068ADABD Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PHlq
                                      • API String ID: 0-2055891399
                                      • Opcode ID: ba86def37c376ead799b4241c0e44b39f4287d644710fed2f8ea34067175669f
                                      • Instruction ID: 9b09a0adac855ac55124fe997c6e1bb160f7ef93239702ad760a8d44890baf6f
                                      • Opcode Fuzzy Hash: ba86def37c376ead799b4241c0e44b39f4287d644710fed2f8ea34067175669f
                                      • Instruction Fuzzy Hash: C6418E70E0030ADFEB55DF65C94569EBBB2FF85300F20452AE902EB654EB74D942CB81
                                      Function 068A21D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PHlq
                                      • API String ID: 0-2055891399
                                      • Opcode ID: 3c9bab1341456e74d4a9b6105fe304ccc9eabdde725d48e1a0a48e327d71c3f0
                                      • Instruction ID: 1b50371418baa7fde3565278ffe21934eefd8bdc280f81744c168608f2fb385a
                                      • Opcode Fuzzy Hash: 3c9bab1341456e74d4a9b6105fe304ccc9eabdde725d48e1a0a48e327d71c3f0
                                      • Instruction Fuzzy Hash: E531F230B002058FDB65AF74DA2566F77E3AF89300F244568E806DB399DE35DD02C790
                                      Function 068A21CB Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PHlq
                                      • API String ID: 0-2055891399
                                      • Opcode ID: 316d6aeb761b6a8135deddcb65002458927e691442590573e7cd3919636564b1
                                      • Instruction ID: e69c57dcde24a89bf280daa53fa682456efdf40dbc79df793d4687bc2a0a3126
                                      • Opcode Fuzzy Hash: 316d6aeb761b6a8135deddcb65002458927e691442590573e7cd3919636564b1
                                      • Instruction Fuzzy Hash: 1C31E330B002018FEB65AF34DA6566F7BE3AF89300F184968E806DB399DE35DD02C784
                                      Function 068AFED3 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: |
                                      • API String ID: 0-2343686810
                                      • Opcode ID: 089195180f49d1ad5dc113e0aa76f2195edd7d5322857294f476a13869c40a75
                                      • Instruction ID: 99ff6faac7744a270d1f59bf349d675d62dc6f908fab66f391734d835a3be24e
                                      • Opcode Fuzzy Hash: 089195180f49d1ad5dc113e0aa76f2195edd7d5322857294f476a13869c40a75
                                      • Instruction Fuzzy Hash: 5C219D71B043518FDB559F788814B6D7BF1AF4D614F0548AEE54ADB3A1DB349D00CB81
                                      Function 068AFEF0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: |
                                      • API String ID: 0-2343686810
                                      • Opcode ID: df11f7d304e15ea69c5115d8ca7830698807cce0bf8e43d405703c91f9f893db
                                      • Instruction ID: e90a0a420da715012887cba7bd00ce3763e9ea64d56d35838efc25c4a34af2be
                                      • Opcode Fuzzy Hash: df11f7d304e15ea69c5115d8ca7830698807cce0bf8e43d405703c91f9f893db
                                      • Instruction Fuzzy Hash: AE115B71B002149FDB54DF78C804B6E7BF5AF4CA10F108869EA1AEB3A0DB759900CB80
                                      Function 068A82D8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq
                                      • API String ID: 0-4199647819
                                      • Opcode ID: c72f7affaebe296ce52a5b9aa4c35aa8ec85e3b93a428fdbd795b1dd18f5970d
                                      • Instruction ID: e7200f659386a20e44f80bd33cb46d247caec7140e352127924f9f1097feeb4d
                                      • Opcode Fuzzy Hash: c72f7affaebe296ce52a5b9aa4c35aa8ec85e3b93a428fdbd795b1dd18f5970d
                                      • Instruction Fuzzy Hash: 82F0FFB1B00308CFEF649E58EA8126CB7A6EB01218F14442ADE81C7248D772DD06CBA1
                                      Function 068A4671 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \Oqq
                                      • API String ID: 0-3397364966
                                      • Opcode ID: 150ccb1d23245545f0a6866f133132c6acbb2daf95424c003ec86a7ea1c084c0
                                      • Instruction ID: bca6e27f325173ad0e9f4286c47ed001cadb274c7a22c971ac85a4f703257829
                                      • Opcode Fuzzy Hash: 150ccb1d23245545f0a6866f133132c6acbb2daf95424c003ec86a7ea1c084c0
                                      • Instruction Fuzzy Hash: 3AF05E30A10219DFEF54DF90E859BAEBBB2FF44700F204119E502A7390CBB40C46CB80
                                      Function 068A2B0B Relevance: .4, Instructions: 441COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b082b67b22eb2b75ec8248fac9314e3a54b09cc439c743b2fe185443372c2a0c
                                      • Instruction ID: 8e3bfc4cac10efb6222f3f579249e9df32c2e40e888c42ffd97155e528c15d2f
                                      • Opcode Fuzzy Hash: b082b67b22eb2b75ec8248fac9314e3a54b09cc439c743b2fe185443372c2a0c
                                      • Instruction Fuzzy Hash: 9D027530A003048FEB64DF64C594A5DB7F2EB44314F58C5A9E91AEB265DB35ED86CF80
                                      Function 068A5DF0 Relevance: .2, Instructions: 229COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dc6dbb4d9a6be2a7e3040381137f402a157694300b4974dc2554082a71d25844
                                      • Instruction ID: 588f43531661bcbeef9c21d6290d6de06150f1b892f6d4117dfffaf502b4827f
                                      • Opcode Fuzzy Hash: dc6dbb4d9a6be2a7e3040381137f402a157694300b4974dc2554082a71d25844
                                      • Instruction Fuzzy Hash: 0461A171F002118BDF549A7EC88066EFADBAFC4620B254439E90ADB378DE65DD4287D1
                                      Function 068A3EC1 Relevance: .2, Instructions: 224COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7a93a670f9208a038995935379e31917829f7027ceee8c150d6c36d60e86274f
                                      • Instruction ID: da4c793f002bebcd6ec2fe62af372961a9c9b47f90df23ff0c3e67a2cf844c34
                                      • Opcode Fuzzy Hash: 7a93a670f9208a038995935379e31917829f7027ceee8c150d6c36d60e86274f
                                      • Instruction Fuzzy Hash: 3A815D30B107099FDF54DFA8C55476EB7F6AF89300F248529E90AEB358EA74DC428B91
                                      Function 068A41DC Relevance: .2, Instructions: 222COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a3e650b6b68ed3d1de3f48fb17eac2e046bd021128f227d129664a39cc624c03
                                      • Instruction ID: 6b3eab52887ad316cba12a293ef51f5331bf069b3afd0a3e449f516f6d0308e0
                                      • Opcode Fuzzy Hash: a3e650b6b68ed3d1de3f48fb17eac2e046bd021128f227d129664a39cc624c03
                                      • Instruction Fuzzy Hash: 37A14E74E1031A8BDF60DF68C840B9DB7B1FF89310F208699D549EB255DB70AA85CF90
                                      Function 068A41F0 Relevance: .2, Instructions: 210COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 52b024adb7764546f8e09d413578bbcc9a6e15fcce1a97bbe607ed0b48f1584b
                                      • Instruction ID: e89ce3c68fee33d834092831f41a9e6a6b7dae3e50f8c9ddada98a1aabe3afc2
                                      • Opcode Fuzzy Hash: 52b024adb7764546f8e09d413578bbcc9a6e15fcce1a97bbe607ed0b48f1584b
                                      • Instruction Fuzzy Hash: 6F912C74E1061A8BEF64DF68C840B9DB7B1FF89300F208599D549EB255DB70AA858F90
                                      Function 068AEB08 Relevance: .2, Instructions: 205COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fffe8f59ccbf159ff3973a7789ae3857ec5ba08428d6e93f76e37a9a958af6fe
                                      • Instruction ID: d9415ec341d443c92042ba27260158c5957a6fee8aa827f304c05b935861eb95
                                      • Opcode Fuzzy Hash: fffe8f59ccbf159ff3973a7789ae3857ec5ba08428d6e93f76e37a9a958af6fe
                                      • Instruction Fuzzy Hash: 74713D70A002099FDB54DFA9D984AAEBBF6FF84304F148929E415EB359DB30ED46CB50
                                      Function 068AEB18 Relevance: .2, Instructions: 201COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fb0c5527de2661ae68e7a025df098f2e4bede30848aaed2c3b3e96aa402308e2
                                      • Instruction ID: 68c380278aacb031faf61ef298626e6ebd98f833f915e668bc40d08dfa3883d7
                                      • Opcode Fuzzy Hash: fb0c5527de2661ae68e7a025df098f2e4bede30848aaed2c3b3e96aa402308e2
                                      • Instruction Fuzzy Hash: C6713E70A002099FDB54DFA9D984A9EBBF6FF84304F148929E415EB359DB30ED46CB50
                                      Function 068AFC80 Relevance: .2, Instructions: 178COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8c41d39c8515f9fcb8451ca6d41cdd6ec79732d41bce54d6950ee22a4306bc7d
                                      • Instruction ID: c5f9ccea279954455c2c01a4f42c15767fd8159c0a06edd0d6f0d816e3319964
                                      • Opcode Fuzzy Hash: 8c41d39c8515f9fcb8451ca6d41cdd6ec79732d41bce54d6950ee22a4306bc7d
                                      • Instruction Fuzzy Hash: 1951D131E00205DFEF65EBB8E8446ADB7B2FF84315F108829EB16DB250DB358956CB90
                                      Function 068AF62B Relevance: .2, Instructions: 170COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2009cf912340e6f1c785e4b2f6150830ff3a8aa04a651a094464bf100389eff4
                                      • Instruction ID: 7a154fe6a09337caf7c8d6ea35135951b421d9f69cd0e85bd099bb6b42bcb191
                                      • Opcode Fuzzy Hash: 2009cf912340e6f1c785e4b2f6150830ff3a8aa04a651a094464bf100389eff4
                                      • Instruction Fuzzy Hash: DA51E730F103159BFFA4666CD99076F36AAD789310F204829E70AC73ADDA39CC4587A2
                                      Function 068AF638 Relevance: .2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 03abe65418412366492defb601e1b3648e9adff9937a3b3f90ce3247bb17ec2d
                                      • Instruction ID: 608391124881fc1b18a604c73423bf45aae4319c08ff2e5dd8f44e967a77b285
                                      • Opcode Fuzzy Hash: 03abe65418412366492defb601e1b3648e9adff9937a3b3f90ce3247bb17ec2d
                                      • Instruction Fuzzy Hash: 9851E730F103159BFFA466ACD95476F366AD789310F204829E70AC73ACDA79CC4187A2
                                      Function 068AD970 Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2ca9dcdbc1f43b23fffcbff4d96ddf4f9b894803f8f18539dcc848b782b606e0
                                      • Instruction ID: 6d0dd814b6d8b82fbd667f7e88607825c749458ff085445082b03ce7a8847be7
                                      • Opcode Fuzzy Hash: 2ca9dcdbc1f43b23fffcbff4d96ddf4f9b894803f8f18539dcc848b782b606e0
                                      • Instruction Fuzzy Hash: B731B230E1070A8FDF65DF68D98069EB7B6FF85314F108A29E905EB654EB70E946CB40
                                      Function 068A2098 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c214b9e730225a6ed7b0f8b2d838fdfe3b7c206d6f0c2ea6efd6a335dcd354e
                                      • Instruction ID: bb8d0b32018350936f4e2cf4e456b92c78c00e48373ff9a4aaf7f4513efe4690
                                      • Opcode Fuzzy Hash: 1c214b9e730225a6ed7b0f8b2d838fdfe3b7c206d6f0c2ea6efd6a335dcd354e
                                      • Instruction Fuzzy Hash: 88318234E006099BDB54DF64C8646AEB7B6FF89300F14C929E906EB354DB71ED46CB40
                                      Function 068A2093 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c2bb1acd6ff301112df7616df63d2bde564994a23def42ad7c8b9b7d4f803d28
                                      • Instruction ID: 3fc9aaf178086e373f23d046c496b8ec232becb02ef50eff16da21d8a35d297f
                                      • Opcode Fuzzy Hash: c2bb1acd6ff301112df7616df63d2bde564994a23def42ad7c8b9b7d4f803d28
                                      • Instruction Fuzzy Hash: 3D318234E006059FDB58DF64C9646AEB7B6BF89300F14C929E906EB354DB31ED46CB40
                                      Function 068A3AC8 Relevance: .1, Instructions: 80COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b40af628033ac63d66271295daf905c4104949ca8171138cf6d8436cb8a6999a
                                      • Instruction ID: 60938d0fd420b596139c7461090a83630e44f643ec66c2ce3320a53421b89c39
                                      • Opcode Fuzzy Hash: b40af628033ac63d66271295daf905c4104949ca8171138cf6d8436cb8a6999a
                                      • Instruction Fuzzy Hash: 08219F76F007199FEB50DF68D981AADBBF6AB48310F10852AE945E7394E730D9428B90
                                      Function 068A3AD8 Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 22e91ce7cb6df589d0bdd387e9fbda279e7a8890debb1dc679f874c77f35e874
                                      • Instruction ID: 0e84a102f23f4104e80088de40979a8ea92e8360f83dc6108dcbfb88ed9dc3de
                                      • Opcode Fuzzy Hash: 22e91ce7cb6df589d0bdd387e9fbda279e7a8890debb1dc679f874c77f35e874
                                      • Instruction Fuzzy Hash: 42215C76F007199FEB50DF69D981AAEB7F6EB48610F10852AEA05E7394E770D801CB90
                                      Function 00FBD01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2616341518.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_fbd000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a12d0fed6d7c2b84a48be44b845a76381620d27b8a9835641e759e115aa0c7c9
                                      • Instruction ID: 52323b7e3407ca60fb655b7e4b197c95ea021a07aa63878cd0116430d4030b97
                                      • Opcode Fuzzy Hash: a12d0fed6d7c2b84a48be44b845a76381620d27b8a9835641e759e115aa0c7c9
                                      • Instruction Fuzzy Hash: 0F213775604200DFCB14EF14D9C0B56BF65FB88364F20C56DE80A0B25AD33AD807DE62
                                      Function 068A6D20 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 33950a92375b573db7723723b13c22080127f4144499d4901891de06bec64f62
                                      • Instruction ID: f2381348e41da31f78ad731562a663ee7540900a78a3d14500c2e3aeabdec5ba
                                      • Opcode Fuzzy Hash: 33950a92375b573db7723723b13c22080127f4144499d4901891de06bec64f62
                                      • Instruction Fuzzy Hash: 7C21D231F102099FEF54DA69E9507AEB7B6EB84350F288425E905EB348E732ED41CB80
                                      Function 00FBD005 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2616341518.0000000000FBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FBD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_fbd000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 47cd0ab695c866cfa8ae94e08baee01ecc7469abfe872507b1775bf613b13216
                                      • Instruction ID: 5036632721e70b1949e034ae9952a7d5e5b8043941f98951d32011277bf5f2af
                                      • Opcode Fuzzy Hash: 47cd0ab695c866cfa8ae94e08baee01ecc7469abfe872507b1775bf613b13216
                                      • Instruction Fuzzy Hash: 87219F755093C08FCB02DF24D994715BF71EB46324F29C5EAD8498F6A7C33A980ADB62
                                      Function 068A3BE8 Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7c4edc98200fc96f434956937368880706b2d3a8567bf40d8a59c74ea7e4635e
                                      • Instruction ID: 3cd111bb5ee9c0809a5ec5b8054bc51eaa526a4bcf4e4726ad6fb7bd0e8cd947
                                      • Opcode Fuzzy Hash: 7c4edc98200fc96f434956937368880706b2d3a8567bf40d8a59c74ea7e4635e
                                      • Instruction Fuzzy Hash: AC11A132B106298FDF54D678CD146AE73AAABC8310B014539C906E7358EE34DC028BD1
                                      Function 068A3E1F Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5933e7f9e33914d5d0fcb404e8a1ad9449c1fc303903049a4be45b5632ef606b
                                      • Instruction ID: d21afee5379c3fff582c4cea138bb0120704c36d567a298366326ac95382710d
                                      • Opcode Fuzzy Hash: 5933e7f9e33914d5d0fcb404e8a1ad9449c1fc303903049a4be45b5632ef606b
                                      • Instruction Fuzzy Hash: 7201BC31B002110BEB64967C9854B1FB7EAEBCA724F14C43AEA0ACB745EE25DC024391
                                      Function 068A38A0 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ae46eb509ba6d72c4305cc9a039ca54ba14484ec81bb9efa4ee107e364149ce5
                                      • Instruction ID: 32286876f74039fe6b87ed7091ccbf952322c34f40155917d13d2af7a44aec97
                                      • Opcode Fuzzy Hash: ae46eb509ba6d72c4305cc9a039ca54ba14484ec81bb9efa4ee107e364149ce5
                                      • Instruction Fuzzy Hash: 7D21FFB1D01299AFCB50CFAAD984BDEFFB4FB49310F10816AE918B7240D3756944CBA5
                                      Function 068AA308 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fad26df26176a8bec9e469328b032ef9075f61a0b852de64bd7f3883941aee62
                                      • Instruction ID: 027416aba6b100e79a02a71e8880006666fecdba083b5acf7fdabf8cb72ee5d1
                                      • Opcode Fuzzy Hash: fad26df26176a8bec9e469328b032ef9075f61a0b852de64bd7f3883941aee62
                                      • Instruction Fuzzy Hash: 5C01F735B103104FD765DA38E85072EB7EAEB86714F10C43EE58ACB399EA25CC02C780
                                      Function 068A38A8 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6cce494eee58ecc73b1d71818eb50a7aa98e16bdd0f5b515c758ba7b6a7df15d
                                      • Instruction ID: f4c45e5eaf12b91985a286e6dd7addcd9e3af4237eaf9876e8ec6c4b55a25e95
                                      • Opcode Fuzzy Hash: 6cce494eee58ecc73b1d71818eb50a7aa98e16bdd0f5b515c758ba7b6a7df15d
                                      • Instruction Fuzzy Hash: 8E11D0B5D01259AFCB00DF9AD984ADEFBB4FB49310F10812AE918B7300D375A944CFA5
                                      Function 068AED88 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 03cf01a380c70b291da9e6d3f921c6c2f06875860191ed3ae196b5d61886d755
                                      • Instruction ID: 60e87dae4ebc93cbbd665182ec537b2fae77ed7379c71f868cd2d93adb69e888
                                      • Opcode Fuzzy Hash: 03cf01a380c70b291da9e6d3f921c6c2f06875860191ed3ae196b5d61886d755
                                      • Instruction Fuzzy Hash: A001A735B001118FDBA5DA7CD45872E73E6EBC5714F14C83EE64ACB345EA25DC028781
                                      Function 068A3E30 Relevance: .1, Instructions: 51COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 152698b8389eee7911338be858e51dcc5609368ac5c222d4db0aed4eb7997d88
                                      • Instruction ID: 34ecef07f81c6267c10c5d9c44c6d9b50513cafb71d056448ffdac1196381690
                                      • Opcode Fuzzy Hash: 152698b8389eee7911338be858e51dcc5609368ac5c222d4db0aed4eb7997d88
                                      • Instruction Fuzzy Hash: 9501AF35B005110BEB64967D9850B2FB3DFDBC9724F20C43AEA0ACB799EE65DC024791
                                      Function 068A3BD8 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0a3d1fcfaa77d22a7685c9aa173a99a7bdf525016450af66438897afa9a06908
                                      • Instruction ID: a9ce686bb4b9247def0326428741ad75f5213188ccbfac22d147d2971a073c9b
                                      • Opcode Fuzzy Hash: 0a3d1fcfaa77d22a7685c9aa173a99a7bdf525016450af66438897afa9a06908
                                      • Instruction Fuzzy Hash: 8301D432F105254BDFA496388D142EE76AA9BC9320F11073AD556D73D8EF24CD024791
                                      Function 068AED98 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9997279e0ff65b50c45a4000bd329839a5e4a747c166508c06d1214f4aacca20
                                      • Instruction ID: 7df34f7dda125c5de5f059ee9b646d1cff4dd4a179aeb2f3c35c3ec1fc54d7c2
                                      • Opcode Fuzzy Hash: 9997279e0ff65b50c45a4000bd329839a5e4a747c166508c06d1214f4aacca20
                                      • Instruction Fuzzy Hash: 7501AF35B001144BEBA4957C985872FB3DADBC9724F14C839F60ACB344EE25DC029381
                                      Function 068A6440 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6de77c77dcaa520ee076881eaddac2ac29cef6b30c6c8951f5f35b42c3a427f3
                                      • Instruction ID: e619b374adcd96608aca8c5d914694d6e90d67df3e9fc941478bc2f7ff3976fb
                                      • Opcode Fuzzy Hash: 6de77c77dcaa520ee076881eaddac2ac29cef6b30c6c8951f5f35b42c3a427f3
                                      • Instruction Fuzzy Hash: 2B01717181E3D55FEB528A7899603897F748F43214F1905DBC484CB0D7F1658985C3A6
                                      Function 068AA318 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ceb042160873bd1fbd326479b035a3c59463669f9f5f80e4db391a94c8235f40
                                      • Instruction ID: ffbac315312c9bb87e7f98d673a758fdd40a9c75f5de5f09e03dc690252c09bf
                                      • Opcode Fuzzy Hash: ceb042160873bd1fbd326479b035a3c59463669f9f5f80e4db391a94c8235f40
                                      • Instruction Fuzzy Hash: F4014435B106145BDB64E678E85472FB3EAFB89714F10C439E54AD775CEA25DC028780
                                      Function 068AC7E0 Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d718a20cd0ec992ab924116ef49547def293a389907f62b0a2fc5e14970b664f
                                      • Instruction ID: d6f51cb2fc0581d21778000f96516dba5b0db32272d48664ed9ec817eff94ef8
                                      • Opcode Fuzzy Hash: d718a20cd0ec992ab924116ef49547def293a389907f62b0a2fc5e14970b664f
                                      • Instruction Fuzzy Hash: B301A431F102289BDF54AA69F94169EB769FB86318F144539EA15EB344EB72AC048BC0

                                      Non-executed Functions

                                      Function 068A76A8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq$$lq$$lq$$lq$$lq$$lq$$lq$$lq$$lq
                                      • API String ID: 0-3106076279
                                      • Opcode ID: 9db5116997f19e2228bd354522d0b1d23eaafe5528acf9ef2c5e6b515651d7fc
                                      • Instruction ID: 64928f55f40ec337a8d7e6efa5dd1ef8f71a2daf8a91a8effbf3f0eee7391f62
                                      • Opcode Fuzzy Hash: 9db5116997f19e2228bd354522d0b1d23eaafe5528acf9ef2c5e6b515651d7fc
                                      • Instruction Fuzzy Hash: BE122C34A002199FEB64DF65C954AAEB7B2FF88304F208569D506EB368DB35DD85CF80
                                      Function 068AA938 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq$$lq$$lq$$lq$$lq$$lq$$lq
                                      • API String ID: 0-2898588307
                                      • Opcode ID: d8e7b7a9135408b70561d75ad89c765d5c68b8e290f0508db324075ea5415d1e
                                      • Instruction ID: 1130054d030304db4cd5bd97c8041d354881dddd66fa97877210d88b4489da62
                                      • Opcode Fuzzy Hash: d8e7b7a9135408b70561d75ad89c765d5c68b8e290f0508db324075ea5415d1e
                                      • Instruction Fuzzy Hash: 72916A30A0030A9FFB68DF64DA55B6EB7B7AF44304F148529E801E7798DB75AC46CB90
                                      Function 068A70A8 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq$$lq$$lq$$lq$$lq
                                      • API String ID: 0-1854859054
                                      • Opcode ID: ef45a3212ea5980334af597c49ae4e9ca3108a58181d662039da887f531c7e0e
                                      • Instruction ID: c322aad6c4230a9d03372c55eb27a2876947acd495472309b84676e07c8dd49d
                                      • Opcode Fuzzy Hash: ef45a3212ea5980334af597c49ae4e9ca3108a58181d662039da887f531c7e0e
                                      • Instruction Fuzzy Hash: 4AF15D74B01209DFDB58EF64D550A5EB7B7BF88304F248468E8159B3A8DB35EC42DB81
                                      Function 068ABA08 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq$$lq$$lq$$lq$$lq
                                      • API String ID: 0-1854859054
                                      • Opcode ID: 953463d1af41ad3eda18326dc762c40812502e67621e40550b1a69babdc90882
                                      • Instruction ID: f8705466ef854de48abff3ea0f9fa0b92e97002aa99db488368841ccb41fb139
                                      • Opcode Fuzzy Hash: 953463d1af41ad3eda18326dc762c40812502e67621e40550b1a69babdc90882
                                      • Instruction Fuzzy Hash: 5B718170E003098FEB64DFA8D580A6EB7B6FF85314F108529D906EB259DB71ED46CB81
                                      Function 068A83E0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq$$lq$$lq
                                      • API String ID: 0-195311763
                                      • Opcode ID: a963bbc4f46e31de073b9ff3db9e3e34dfc45cb09f44dcb84036c47a05a4ad99
                                      • Instruction ID: 777a0216b5dc40e39a211f5b6a7f835b946a5a08724bbb05b66b702e052db48f
                                      • Opcode Fuzzy Hash: a963bbc4f46e31de073b9ff3db9e3e34dfc45cb09f44dcb84036c47a05a4ad99
                                      • Instruction Fuzzy Hash: 95B14C70F112098FEB68EF64C99469EB7B6BF84304F248429D906DB358DB75DC86CB90
                                      Function 068AACC3 Relevance: 5.2, Strings: 4, Instructions: 174COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $lq$$lq$$lq$$lq
                                      • API String ID: 0-195311763
                                      • Opcode ID: 5db85dc7b75240c77fe383ae0a4a9257e732b52d014838a9b56714325e4a051b
                                      • Instruction ID: 2a8c8e7454c103a1ba2c8b8f8427b254486d286fd9b723916ff384ceae54647d
                                      • Opcode Fuzzy Hash: 5db85dc7b75240c77fe383ae0a4a9257e732b52d014838a9b56714325e4a051b
                                      • Instruction Fuzzy Hash: C9519C30E103059FEFA9DB64E5806AEB7B6EB88305F24852AED06D7754DB35EC41CB90
                                      Function 068A87F8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000004.00000002.2623821887.00000000068A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068A0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_4_2_68a0000_hCkkM0lH0P.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LRlq$LRlq$$lq$$lq
                                      • API String ID: 0-833119577
                                      • Opcode ID: ba3c32a233f39714afd0c455931fe79a5cea3105fe5b31fc3a12a4a62cb82afc
                                      • Instruction ID: a5c4a4930fe07f5f13b9e312bf288cf73e93f6daf4426812be25dbc1890ef21d
                                      • Opcode Fuzzy Hash: ba3c32a233f39714afd0c455931fe79a5cea3105fe5b31fc3a12a4a62cb82afc
                                      • Instruction Fuzzy Hash: 0C51D370B002059FEB58EB28D941A6EB7F6FF85304F148568E915DB3A9DB31EC00CBA1