Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7569qiv4L2.exe

Overview

General Information

Sample name:7569qiv4L2.exe
renamed because original name is a hash value
Original sample name:e45c854f716217466a20fdadfc487d6aaf025d8e1e82eaeefa27e4d8750d2f24.exe
Analysis ID:1587627
MD5:32810aa330835d7a82ef0a37eb20ab36
SHA1:880c82c8aaec841f10e54aea97c90fda80e92c20
SHA256:e45c854f716217466a20fdadfc487d6aaf025d8e1e82eaeefa27e4d8750d2f24
Tags:exeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7569qiv4L2.exe (PID: 6700 cmdline: "C:\Users\user\Desktop\7569qiv4L2.exe" MD5: 32810AA330835D7A82EF0A37EB20AB36)
    • powershell.exe (PID: 5276 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2756 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • 7569qiv4L2.exe (PID: 1444 cmdline: "C:\Users\user\Desktop\7569qiv4L2.exe" MD5: 32810AA330835D7A82EF0A37EB20AB36)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "testlab@apexrnun.com", "Password": "%qroUozO;(C2Rlyb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2856976630.000000000304E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000005.00000002.2856976630.0000000003022000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000005.00000002.2856976630.0000000003022000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            5.2.7569qiv4L2.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              5.2.7569qiv4L2.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                5.2.7569qiv4L2.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  5.2.7569qiv4L2.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x34163:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x341d5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x3425f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x342f1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x3435b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x343cd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x34463:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x344f3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.7569qiv4L2.exe.411c010.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7569qiv4L2.exe", ParentImage: C:\Users\user\Desktop\7569qiv4L2.exe, ParentProcessId: 6700, ParentProcessName: 7569qiv4L2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe", ProcessId: 5276, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7569qiv4L2.exe", ParentImage: C:\Users\user\Desktop\7569qiv4L2.exe, ParentProcessId: 6700, ParentProcessName: 7569qiv4L2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe", ProcessId: 5276, ProcessName: powershell.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\7569qiv4L2.exe", ParentImage: C:\Users\user\Desktop\7569qiv4L2.exe, ParentProcessId: 6700, ParentProcessName: 7569qiv4L2.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe", ProcessId: 5276, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 7569qiv4L2.exeAvira: detected
                    Found malware configuration
                    Source: 5.2.7569qiv4L2.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "testlab@apexrnun.com", "Password": "%qroUozO;(C2Rlyb"}
                    Multi AV Scanner detection for submitted file
                    Source: 7569qiv4L2.exeReversingLabs: Detection: 82%
                    Source: 7569qiv4L2.exeVirustotal: Detection: 73%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: 7569qiv4L2.exeJoe Sandbox ML: detected
                    Source: 7569qiv4L2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 7569qiv4L2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: rgxB.pdbSHA256 source: 7569qiv4L2.exe
                    Source: Binary string: rgxB.pdb source: 7569qiv4L2.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 5.2.7569qiv4L2.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.411c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.40e09f0.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: mail.apexrnun.com
                    Source: 7569qiv4L2.exe, 00000005.00000002.2856976630.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: 7569qiv4L2.exe, 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, 7569qiv4L2.exe, 00000005.00000002.2856976630.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, 7569qiv4L2.exe, 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: 7569qiv4L2.exe, 00000000.00000002.1624141842.0000000003100000.00000004.00000800.00020000.00000000.sdmp, 7569qiv4L2.exe, 00000005.00000002.2856976630.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 7569qiv4L2.exe, 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, 7569qiv4L2.exe, 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 5.2.7569qiv4L2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.7569qiv4L2.exe.411c010.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.7569qiv4L2.exe.40e09f0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.7569qiv4L2.exe.411c010.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.7569qiv4L2.exe.40e09f0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_012FF0440_2_012FF044
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_075713400_2_07571340
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_0757D3D40_2_0757D3D4
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_07573A500_2_07573A50
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_075BA3410_2_075BA341
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_075BEDA00_2_075BEDA0
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_075BE9680_2_075BE968
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_0153A8A85_2_0153A8A8
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_01534AC05_2_01534AC0
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_0153EC185_2_0153EC18
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_0153ACEF5_2_0153ACEF
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_01533EA85_2_01533EA8
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_015341F05_2_015341F0
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069DA7DC5_2_069DA7DC
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069DC0585_2_069DC058
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069F65C05_2_069F65C0
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069F55685_2_069F5568
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069F30285_2_069F3028
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069FB1F85_2_069FB1F8
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069FC1485_2_069FC148
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069F7D505_2_069F7D50
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069F76705_2_069F7670
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069F23405_2_069F2340
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069FE3785_2_069FE378
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069F00405_2_069F0040
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069F5CB35_2_069F5CB3
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069F00065_2_069F0006
                    Source: 7569qiv4L2.exe, 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs 7569qiv4L2.exe
                    Source: 7569qiv4L2.exe, 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 7569qiv4L2.exe
                    Source: 7569qiv4L2.exe, 00000000.00000002.1623127887.00000000013EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7569qiv4L2.exe
                    Source: 7569qiv4L2.exe, 00000000.00000002.1631577792.0000000007DB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 7569qiv4L2.exe
                    Source: 7569qiv4L2.exe, 00000000.00000000.1604309394.0000000000CB0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamergxB.exeL vs 7569qiv4L2.exe
                    Source: 7569qiv4L2.exe, 00000000.00000002.1624141842.0000000003100000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs 7569qiv4L2.exe
                    Source: 7569qiv4L2.exe, 00000005.00000002.2855588872.00000000010F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 7569qiv4L2.exe
                    Source: 7569qiv4L2.exe, 00000005.00000002.2855274857.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs 7569qiv4L2.exe
                    Source: 7569qiv4L2.exeBinary or memory string: OriginalFilenamergxB.exeL vs 7569qiv4L2.exe
                    Source: 7569qiv4L2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 5.2.7569qiv4L2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.7569qiv4L2.exe.411c010.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.7569qiv4L2.exe.40e09f0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.7569qiv4L2.exe.411c010.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.7569qiv4L2.exe.40e09f0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7569qiv4L2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@2/1
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7569qiv4L2.exe.logJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_03
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMutant created: NULL
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otm2axsj.aae.ps1Jump to behavior
                    Source: 7569qiv4L2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 7569qiv4L2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 7569qiv4L2.exeReversingLabs: Detection: 82%
                    Source: 7569qiv4L2.exeVirustotal: Detection: 73%
                    Source: 7569qiv4L2.exeString found in binary or memory: $72794fd6-9579-4364-adda-1580f4b1038b
                    Source: unknownProcess created: C:\Users\user\Desktop\7569qiv4L2.exe "C:\Users\user\Desktop\7569qiv4L2.exe"
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess created: C:\Users\user\Desktop\7569qiv4L2.exe "C:\Users\user\Desktop\7569qiv4L2.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess created: C:\Users\user\Desktop\7569qiv4L2.exe "C:\Users\user\Desktop\7569qiv4L2.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: 7569qiv4L2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 7569qiv4L2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: 7569qiv4L2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: rgxB.pdbSHA256 source: 7569qiv4L2.exe
                    Source: Binary string: rgxB.pdb source: 7569qiv4L2.exe
                    Source: 7569qiv4L2.exeStatic PE information: 0xA534AAAB [Tue Oct 30 18:30:03 2057 UTC]
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_07575648 pushfd ; iretd 0_2_075756F9
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_0757AE19 push eax; mov dword ptr [esp], edx0_2_0757AE2C
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_07575638 pushad ; iretd 0_2_07575639
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_075756F0 pushfd ; iretd 0_2_075756F9
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_069D5160 push es; ret 5_2_069D5170
                    Source: 7569qiv4L2.exeStatic PE information: section name: .text entropy: 7.759269386964185

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: 7569qiv4L2.exe PID: 6700, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: 7569qiv4L2.exe, 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, 7569qiv4L2.exe, 00000005.00000002.2856976630.0000000003022000.00000004.00000800.00020000.00000000.sdmp, 7569qiv4L2.exe, 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: 12F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: 30C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: 9370000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: 7E30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: A370000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: B370000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: 2FF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: 2E10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 0_2_07568A29 sldt word ptr [eax]0_2_07568A29
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5221Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2161Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exe TID: 5904Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6728Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6692Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exe TID: 3532Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exe TID: 3532Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exe TID: 4468Thread sleep count: 198 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exe TID: 3532Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: 7569qiv4L2.exe, 00000005.00000002.2856976630.0000000003022000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: 7569qiv4L2.exe, 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: 7569qiv4L2.exe, 00000000.00000002.1629366357.000000000727D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a
                    Source: 7569qiv4L2.exe, 00000000.00000002.1629366357.000000000727D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: 7569qiv4L2.exe, 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: 7569qiv4L2.exe, 00000005.00000002.2855618152.0000000001235000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeCode function: 5_2_015370A0 CheckRemoteDebuggerPresent,5_2_015370A0
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe"
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeProcess created: C:\Users\user\Desktop\7569qiv4L2.exe "C:\Users\user\Desktop\7569qiv4L2.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Users\user\Desktop\7569qiv4L2.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Users\user\Desktop\7569qiv4L2.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.2.7569qiv4L2.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.411c010.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.40e09f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.411c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.40e09f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2856976630.000000000304E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2856976630.0000000003022000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 7569qiv4L2.exe PID: 6700, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 7569qiv4L2.exe PID: 1444, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\7569qiv4L2.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 5.2.7569qiv4L2.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.411c010.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.40e09f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.411c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.40e09f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2856976630.0000000003022000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 7569qiv4L2.exe PID: 6700, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 7569qiv4L2.exe PID: 1444, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 5.2.7569qiv4L2.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.411c010.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.40e09f0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.411c010.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.7569qiv4L2.exe.40e09f0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2856976630.000000000304E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2856976630.0000000003022000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 7569qiv4L2.exe PID: 6700, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 7569qiv4L2.exe PID: 1444, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		11
                    Process Injection                    		1
                    Masquerading                    		2
                    OS Credential Dumping                    		531
                    Security Software Discovery                    		Remote Services1
                    Email Collection                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Command and Scripting Interpreter                    		Boot or Logon Initialization Scripts1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    Credentials in Registry                    		1
                    Process Discovery                    		Remote Desktop Protocol1
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)271
                    Virtualization/Sandbox Evasion                    		Security Account Manager271
                    Virtualization/Sandbox Evasion                    		SMB/Windows Admin Shares2
                    Data from Local System                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection                    		NTDS1
                    Application Window Discovery                    		Distributed Component Object ModelInput Capture2
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information                    		LSA Secrets1
                    System Network Configuration Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Software Packing                    		Cached Domain Credentials1
                    File and Directory Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Timestomp                    		DCSync34
                    System Information Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    DLL Side-Loading                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1587627 Sample: 7569qiv4L2.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 24 mail.apexrnun.com 2->24 26 ip-api.com 2->26 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus / Scanner detection for submitted sample 2->34 36 8 other signatures 2->36 8 7569qiv4L2.exe 4 2->8         started        signatures3 process4 file5 22 C:\Users\user\AppData\...\7569qiv4L2.exe.log, ASCII 8->22 dropped 38 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->38 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->40 42 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->42 44 2 other signatures 8->44 12 7569qiv4L2.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 28 ip-api.com 208.95.112.1, 49706, 80 TUT-ASUS United States 12->28 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 54 Loading BitLocker PowerShell Module 16->54 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    7569qiv4L2.exe83%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    7569qiv4L2.exe74%VirustotalBrowse
                    7569qiv4L2.exe100%AviraTR/AD.GenSteal.vqlcs
                    7569qiv4L2.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      mail.apexrnun.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://account.dyn.com/7569qiv4L2.exe, 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, 7569qiv4L2.exe, 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name7569qiv4L2.exe, 00000000.00000002.1624141842.0000000003100000.00000004.00000800.00020000.00000000.sdmp, 7569qiv4L2.exe, 00000005.00000002.2856976630.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ip-api.com7569qiv4L2.exe, 00000005.00000002.2856976630.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUSfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1587627
                                Start date and time:2025-01-10 15:59:46 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 6m 13s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:11
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:7569qiv4L2.exe
                                renamed because original name is a hash value
                                Original Sample Name:e45c854f716217466a20fdadfc487d6aaf025d8e1e82eaeefa27e4d8750d2f24.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@7/6@2/1
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 180
                                • Number of non-executed functions: 4
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                • Excluded IPs from analysis (whitelisted): 2.23.242.162, 20.12.23.50, 13.107.246.45
                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                10:01:01API Interceptor2x Sleep call for process: 7569qiv4L2.exe modified
                                10:01:03API Interceptor15x Sleep call for process: powershell.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.1hCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                sDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                driver.exeGet hashmaliciousBlank GrabberBrowse
                                • ip-api.com/json/?fields=225545
                                XClient.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ip-api.comhCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                sDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                driver.exeGet hashmaliciousBlank GrabberBrowse
                                • 208.95.112.1
                                XClient.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                TUT-ASUShCkkM0lH0P.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                sDflTDPSLw.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                2HCwqwLg1G.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                CdbVaYf8jC.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                H9YFiQB7o3.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                lFlw40OH6u.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                Pago devuelto #.Documentos#9787565789678675645767856843.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                driver.exeGet hashmaliciousBlank GrabberBrowse
                                • 208.95.112.1
                                XClient.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                Comprobante.de.pago.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7569qiv4L2.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\7569qiv4L2.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2232
                                Entropy (8bit):5.380046556058007
                                Encrypted:false
                                SSDEEP:48:tWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:tLHxv2IfLZ2KRH6Oug8s
                                MD5:047FB2DF487007775DECF6DA3D7F65EA
                                SHA1:A0C21FB6AA4A11108B5608F02BA19842B53304A2
                                SHA-256:34EB90114BBA06D2BB7D773A488CDC6924A4D0B6B434B78F7B112836408458BA
                                SHA-512:3EE9BC4C8ED5EAFE3D28DC6964F09AFBB87648F6D1D2708EDF7C077268AB09A776F66EFA798E42DE7132663458BA5E65535903D113AE6C94D5B5978DD787F9B1
                                Malicious:false
                                Reputation:low
                                Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_irlkmfef.5si.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otm2axsj.aae.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y1dfwck1.kqv.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zcdkhbvy.bcr.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.75182706099688
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                • Win32 Executable (generic) a (10002005/4) 49.75%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Windows Screen Saver (13104/52) 0.07%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                File name:7569qiv4L2.exe
                                File size:708'096 bytes
                                MD5:32810aa330835d7a82ef0a37eb20ab36
                                SHA1:880c82c8aaec841f10e54aea97c90fda80e92c20
                                SHA256:e45c854f716217466a20fdadfc487d6aaf025d8e1e82eaeefa27e4d8750d2f24
                                SHA512:52a5dce73075d7c4d8d824744033736e81478268dd60b23b4b87d0afc7364267a7210fbf557ca16d2253d09c010e50747f2a58c607aa6d105d55a41a32d82848
                                SSDEEP:12288:QnCTAzWOw0YsRPqgyzFxqq5c+40JcQk1vXQuawfznrevUmE:FURRigukq5c+XOhvgMev/E
                                TLSH:B2E40268161AD503D86957B91AB2F2B4233C1DEFB542F316AFDD6CEBB56BB104C04283
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....4...............0.................. ........@.. .......................@............@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x4ae2f2
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0xA534AAAB [Tue Oct 30 18:30:03 2057 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0xae2a00x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x5cc.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0xabc300x70.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000xac2f80xac40010be9b93e8ab014466d97419569372c7False0.912863411647315data7.759269386964185IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0xb00000x5cc0x600bcc96dfea29f88ddeccaa7e57e3666e7False0.427734375data4.129496667381752IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0xb20000xc0x200a39308c3e2d6c64378ed5c996f14a008False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0xb00900x33cdata0.42995169082125606
                                RT_MANIFEST0xb03dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 10, 2025 16:01:03.965069056 CET4970680192.168.2.8208.95.112.1
                                Jan 10, 2025 16:01:03.970026970 CET8049706208.95.112.1192.168.2.8
                                Jan 10, 2025 16:01:03.970169067 CET4970680192.168.2.8208.95.112.1
                                Jan 10, 2025 16:01:03.971016884 CET4970680192.168.2.8208.95.112.1
                                Jan 10, 2025 16:01:03.975792885 CET8049706208.95.112.1192.168.2.8
                                Jan 10, 2025 16:01:04.435853004 CET8049706208.95.112.1192.168.2.8
                                Jan 10, 2025 16:01:04.478013992 CET4970680192.168.2.8208.95.112.1
                                Jan 10, 2025 16:01:55.415985107 CET4970680192.168.2.8208.95.112.1
                                Jan 10, 2025 16:01:55.421364069 CET8049706208.95.112.1192.168.2.8
                                Jan 10, 2025 16:01:55.422938108 CET4970680192.168.2.8208.95.112.1

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 10, 2025 16:01:03.929208994 CET5849753192.168.2.81.1.1.1
                                Jan 10, 2025 16:01:03.937277079 CET53584971.1.1.1192.168.2.8
                                Jan 10, 2025 16:01:05.407469988 CET6051753192.168.2.81.1.1.1
                                Jan 10, 2025 16:01:05.418189049 CET53605171.1.1.1192.168.2.8

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Jan 10, 2025 16:01:03.929208994 CET192.168.2.81.1.1.10xd860Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                Jan 10, 2025 16:01:05.407469988 CET192.168.2.81.1.1.10x26beStandard query (0)mail.apexrnun.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Jan 10, 2025 16:01:03.937277079 CET1.1.1.1192.168.2.80xd860No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                Jan 10, 2025 16:01:05.418189049 CET1.1.1.1192.168.2.80x26beName error (3)mail.apexrnun.comnonenoneA (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ip-api.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.849706208.95.112.1801444C:\Users\user\Desktop\7569qiv4L2.exe
                                TimestampBytes transferredDirectionData
                                Jan 10, 2025 16:01:03.971016884 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                Host: ip-api.com
                                Connection: Keep-Alive
                                Jan 10, 2025 16:01:04.435853004 CET175INHTTP/1.1 200 OK
                                Date: Fri, 10 Jan 2025 15:01:04 GMT
                                Content-Type: text/plain; charset=utf-8
                                Content-Length: 6
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 66 61 6c 73 65 0a
                                Data Ascii: false


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:10:01:01
                                Start date:10/01/2025
                                Path:C:\Users\user\Desktop\7569qiv4L2.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\7569qiv4L2.exe"
                                Imagebase:0xc00000
                                File size:708'096 bytes
                                MD5 hash:32810AA330835D7A82EF0A37EB20AB36
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1625630073.00000000040C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:10:01:02
                                Start date:10/01/2025
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\7569qiv4L2.exe"
                                Imagebase:0xb20000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:10:01:02
                                Start date:10/01/2025
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6ee680000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:10:01:02
                                Start date:10/01/2025
                                Path:C:\Users\user\Desktop\7569qiv4L2.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\7569qiv4L2.exe"
                                Imagebase:0xbe0000
                                File size:708'096 bytes
                                MD5 hash:32810AA330835D7A82EF0A37EB20AB36
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2856976630.000000000304E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2855274857.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2856976630.0000000003022000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2856976630.0000000003022000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:6
                                Start time:10:01:04
                                Start date:10/01/2025
                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Imagebase:0x7ff605670000
                                File size:496'640 bytes
                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:12.4%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:1.4%
                                  Total number of Nodes:211
                                  Total number of Limit Nodes:21
                                  execution_graph 58740 56a9b28 58743 56a9c58 58740->58743 58744 56a9c79 58743->58744 58746 56a9ca0 DrawTextExW 58744->58746 58747 56a9cb0 DrawTextExW 58744->58747 58745 56a9b44 58746->58745 58747->58745 58679 7566340 58681 56aabfa 2 API calls 58679->58681 58682 56aac08 2 API calls 58679->58682 58683 56aabe0 2 API calls 58679->58683 58680 7566375 58681->58680 58682->58680 58683->58680 58684 75681f0 58685 7568205 58684->58685 58687 75682bf 58685->58687 58688 56aabfa 2 API calls 58685->58688 58689 56aac08 2 API calls 58685->58689 58690 56aabe0 2 API calls 58685->58690 58686 7568294 58688->58686 58689->58686 58690->58686 58533 12fd7a8 DuplicateHandle 58534 12fd83e 58533->58534 58691 7579ef0 58693 7579f1e 58691->58693 58692 7579fa9 58692->58692 58693->58692 58695 75788a8 58693->58695 58696 75788b3 58695->58696 58698 757a0b0 58696->58698 58699 75788d8 58696->58699 58698->58692 58700 757a200 SetTimer 58699->58700 58701 757a26c 58700->58701 58701->58698 58702 75706e0 58703 75706f4 58702->58703 58704 757071c 58703->58704 58707 7570898 58703->58707 58712 7570888 58703->58712 58708 7570908 58707->58708 58709 75708ab 58707->58709 58708->58704 58717 7570911 58709->58717 58722 7570920 58709->58722 58713 7570908 58712->58713 58714 75708ab 58712->58714 58713->58704 58715 7570911 DrawTextExW 58714->58715 58716 7570920 DrawTextExW 58714->58716 58715->58713 58716->58713 58718 7570930 58717->58718 58727 7570af0 58718->58727 58731 7570ae0 58718->58731 58723 7570930 58722->58723 58725 7570af0 DrawTextExW 58723->58725 58726 7570ae0 DrawTextExW 58723->58726 58724 7570939 58724->58708 58725->58724 58726->58724 58728 7570b19 58727->58728 58735 56a8a93 58728->58735 58732 7570af0 58731->58732 58734 56a8a93 DrawTextExW 58732->58734 58733 7570b2c 58734->58733 58736 56a8ad2 58735->58736 58737 56a8b53 58736->58737 58738 56a9ca0 DrawTextExW 58736->58738 58739 56a9cb0 DrawTextExW 58736->58739 58738->58737 58739->58737 58748 12f4668 58749 12f467f 58748->58749 58750 12f468b 58749->58750 58752 12f4788 58749->58752 58753 12f47ad 58752->58753 58757 12f4888 58753->58757 58761 12f4898 58753->58761 58759 12f48bf 58757->58759 58758 12f499c 58758->58758 58759->58758 58765 12f4514 58759->58765 58763 12f48bf 58761->58763 58762 12f499c 58762->58762 58763->58762 58764 12f4514 CreateActCtxA 58763->58764 58764->58762 58766 12f5928 CreateActCtxA 58765->58766 58768 12f59eb 58766->58768 58535 56a7660 58536 56a7677 58535->58536 58539 56a5294 58536->58539 58540 56a529f 58539->58540 58546 56a7944 58540->58546 58542 56a7e22 58550 56aaadf 58542->58550 58560 56aaaf0 58542->58560 58543 56a7702 58547 56a794f 58546->58547 58548 56a7f64 58547->58548 58571 56a6928 GetSystemMetrics GetSystemMetrics 58547->58571 58548->58542 58551 56aab44 58550->58551 58552 56aaae3 58550->58552 58598 56ad0ea 58551->58598 58603 56ad0f8 58551->58603 58608 56ad17e 58551->58608 58552->58551 58553 56aab6b 58552->58553 58572 56aabfa 58552->58572 58581 56aac08 58552->58581 58590 56aabe0 58552->58590 58553->58543 58561 56aab7f 58560->58561 58563 56aab10 58560->58563 58561->58543 58562 56aab6b 58562->58543 58563->58562 58564 56aab44 58563->58564 58568 56aabfa 2 API calls 58563->58568 58569 56aac08 2 API calls 58563->58569 58570 56aabe0 2 API calls 58563->58570 58565 56ad0ea DrawTextExW 58564->58565 58566 56ad0f8 DrawTextExW 58564->58566 58567 56ad17e DrawTextExW 58564->58567 58565->58562 58566->58562 58567->58562 58568->58563 58569->58563 58570->58563 58571->58548 58573 56aac08 58572->58573 58574 56aac2c 58573->58574 58580 56aac5a 58573->58580 58613 56aa0d8 58573->58613 58574->58552 58577 56aa0d8 GetCurrentThreadId 58577->58580 58578 56aaf6f GetCurrentThreadId 58579 56aac86 58578->58579 58579->58552 58580->58552 58580->58578 58580->58579 58582 56aac2c 58581->58582 58583 56aac33 58581->58583 58582->58552 58584 56aa0d8 GetCurrentThreadId 58583->58584 58587 56aac5a 58583->58587 58585 56aac50 58584->58585 58586 56aa0d8 GetCurrentThreadId 58585->58586 58586->58587 58587->58552 58588 56aac86 58587->58588 58589 56aaf6f GetCurrentThreadId 58587->58589 58588->58552 58589->58588 58591 56aabe3 58590->58591 58591->58552 58592 56aa0d8 GetCurrentThreadId 58591->58592 58593 56aac50 58592->58593 58594 56aa0d8 GetCurrentThreadId 58593->58594 58597 56aac5a 58594->58597 58595 56aaf6f GetCurrentThreadId 58596 56aac86 58595->58596 58596->58552 58597->58552 58597->58595 58597->58596 58599 56ad127 58598->58599 58600 56ad12c 58598->58600 58599->58600 58617 56ad562 58599->58617 58623 56ad570 58599->58623 58600->58553 58604 56ad127 58603->58604 58605 56ad12c 58603->58605 58604->58605 58606 56ad562 DrawTextExW 58604->58606 58607 56ad570 DrawTextExW 58604->58607 58605->58553 58606->58605 58607->58605 58609 56ad15e 58608->58609 58610 56ad199 58609->58610 58611 56ad562 DrawTextExW 58609->58611 58612 56ad570 DrawTextExW 58609->58612 58610->58553 58611->58610 58612->58610 58614 56aa0e3 58613->58614 58615 56aaf6f GetCurrentThreadId 58614->58615 58616 56aac50 58614->58616 58615->58616 58616->58577 58618 56ad570 58617->58618 58619 56ad597 58618->58619 58629 56a9ca0 58618->58629 58634 56a9cb0 58618->58634 58619->58600 58620 56ad584 58620->58600 58624 56ad57d 58623->58624 58625 56ad597 58623->58625 58627 56a9ca0 DrawTextExW 58624->58627 58628 56a9cb0 DrawTextExW 58624->58628 58625->58600 58626 56ad584 58626->58600 58627->58626 58628->58626 58630 56a9cb0 58629->58630 58631 56a9cd7 58630->58631 58639 757dabf 58630->58639 58643 757dae8 58630->58643 58631->58620 58635 56a9cd3 58634->58635 58636 56a9cd7 58635->58636 58637 757dabf DrawTextExW 58635->58637 58638 757dae8 DrawTextExW 58635->58638 58636->58620 58637->58636 58638->58636 58640 757dafa 58639->58640 58641 757db10 58639->58641 58647 757d3d4 58640->58647 58641->58631 58644 757dafa 58643->58644 58646 757db10 58643->58646 58645 757d3d4 DrawTextExW 58644->58645 58645->58646 58646->58631 58648 757d3df 58647->58648 58649 757df66 58648->58649 58652 757eea2 58648->58652 58657 757eeb0 58648->58657 58649->58641 58654 757eed1 58652->58654 58653 757eee6 58653->58648 58654->58653 58662 757d474 58654->58662 58658 757eed1 58657->58658 58659 757eee6 58658->58659 58660 757d474 DrawTextExW 58658->58660 58659->58648 58661 757ef25 58660->58661 58663 757d47f 58662->58663 58667 56a3b7c 58663->58667 58673 56a5bb1 58663->58673 58664 757ef25 58669 56a3b87 58667->58669 58668 56a5bf9 58668->58664 58669->58668 58671 56a6768 DrawTextExW 58669->58671 58672 56a6758 DrawTextExW 58669->58672 58670 56a5d0c 58670->58664 58671->58670 58672->58670 58675 56a5be1 58673->58675 58674 56a5bf9 58674->58664 58675->58674 58677 56a6768 DrawTextExW 58675->58677 58678 56a6758 DrawTextExW 58675->58678 58676 56a5d0c 58676->58664 58677->58676 58678->58676 58779 56a3f90 58781 56a3fb1 58779->58781 58780 56a3fc6 58781->58780 58782 56a3b7c DrawTextExW 58781->58782 58783 56a4031 58782->58783 58769 12fd560 58770 12fd5a6 GetCurrentProcess 58769->58770 58772 12fd5f8 GetCurrentThread 58770->58772 58773 12fd5f1 58770->58773 58774 12fd62e 58772->58774 58775 12fd635 GetCurrentProcess 58772->58775 58773->58772 58774->58775 58778 12fd66b 58775->58778 58776 12fd693 GetCurrentThreadId 58777 12fd6c4 58776->58777 58778->58776 58784 12fadd0 58787 12faeb8 58784->58787 58785 12faddf 58788 12faefc 58787->58788 58789 12faed9 58787->58789 58788->58785 58789->58788 58790 12fb100 GetModuleHandleW 58789->58790 58791 12fb12d 58790->58791 58791->58785

                                  Executed Functions

                                  Function 0757D3D4 Relevance: .9, Instructions: 931COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1629883790.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7570000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b34a69a542877ed7aaea84a64ab2357bb5d512bef168f1e5cb94bd44d3f1fc50
                                  • Instruction ID: ab9cc918d8147212a4b8a185f06f30b9be6845b71a0e4f30d65d654302238fdb
                                  • Opcode Fuzzy Hash: b34a69a542877ed7aaea84a64ab2357bb5d512bef168f1e5cb94bd44d3f1fc50
                                  • Instruction Fuzzy Hash: B7A20B71E002598FDB25EF68C8586DDB7B2FF89300F1481A9D90AA7355EB74AE85CF40
                                  Function 07571340 Relevance: .7, Instructions: 651COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1629883790.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7570000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b034152405a891cb53792077a2fb8aa6c9ac528ee39deec5360bf206ee0d1ae1
                                  • Instruction ID: 3af1cf0828bd87d1bccb54403e0de8d5dcab1183b86f1ae4c4e7831b052dba45
                                  • Opcode Fuzzy Hash: b034152405a891cb53792077a2fb8aa6c9ac528ee39deec5360bf206ee0d1ae1
                                  • Instruction Fuzzy Hash: 864234B4700715CFCB689B78D4696AE77F2BFC9206B1448AEE507CB760DB36A841CB50
                                  Function 07573A50 Relevance: .5, Instructions: 471COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1629883790.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7570000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 925c4f43fc88504ebe13db65bd2077fa3e7f4d456ed040f702968f77fef3fc45
                                  • Instruction ID: ca6081c8fa48879b5051093cd86cb61fdca65d44684a322512842ad255f0279e
                                  • Opcode Fuzzy Hash: 925c4f43fc88504ebe13db65bd2077fa3e7f4d456ed040f702968f77fef3fc45
                                  • Instruction Fuzzy Hash: 36224C70A10219CFCB54DF68D884A9DBBB2FF89310F15C599E809AB225DB30ED85CF90
                                  Function 075BA341 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b0ca05ca8ad0f505af94a9f462bc7e8fb855988fb9ba0d68b0bf2935e3b33287
                                  • Instruction ID: 4400a28af70a4803ce83b589782a3fd3f6355bebba5873847cb2300cecdf512d
                                  • Opcode Fuzzy Hash: b0ca05ca8ad0f505af94a9f462bc7e8fb855988fb9ba0d68b0bf2935e3b33287
                                  • Instruction Fuzzy Hash: CF4130B0D05218DFEB68CF6AD8407EDBBB7BF89300F10C4AAD409A7254DB3409858F51
                                  Function 012FD550 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 012FD5DE
                                  • GetCurrentThread.KERNEL32 ref: 012FD61B
                                  • GetCurrentProcess.KERNEL32 ref: 012FD658
                                  • GetCurrentThreadId.KERNEL32 ref: 012FD6B1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622694853.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 6053333293c1cba5a13bf61b2cadb3d059a78f40432420e047afb52cbd6dacd4
                                  • Instruction ID: 7889211ab847606048b0322e473a58ef2965ec2b75764c2b487920d2137ca228
                                  • Opcode Fuzzy Hash: 6053333293c1cba5a13bf61b2cadb3d059a78f40432420e047afb52cbd6dacd4
                                  • Instruction Fuzzy Hash: B15154B090134A8FDB14DFA9D548BEEBBF1BF88314F208069E519A72A0DB355944CF65
                                  Function 012FD560 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 012FD5DE
                                  • GetCurrentThread.KERNEL32 ref: 012FD61B
                                  • GetCurrentProcess.KERNEL32 ref: 012FD658
                                  • GetCurrentThreadId.KERNEL32 ref: 012FD6B1
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622694853.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 03e7dc2b018c4f758adf8b46a2c3bd1ca5d2d82c7c85fb10b0f8d317ad3237c1
                                  • Instruction ID: 4f4b702cb11ac6f90507c7d8c18af6d122faff530b4acdf2f07f64cd6c9f4d9e
                                  • Opcode Fuzzy Hash: 03e7dc2b018c4f758adf8b46a2c3bd1ca5d2d82c7c85fb10b0f8d317ad3237c1
                                  • Instruction Fuzzy Hash: 8D5144B090130A8FDB14DFA9D548B9EBBF1FF88314F208469E519A72A0DB355944CF65
                                  Function 056AAC08 Relevance: 1.7, APIs: 1, Instructions: 225COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 44 56aac08-56aac2a 45 56aac2c-56aac32 44->45 46 56aac33-56aac3d 44->46 48 56aae79-56aaea5 46->48 49 56aac43-56aac5c call 56aa0d8 * 2 46->49 58 56aaeac-56aaee0 48->58 49->58 59 56aac62-56aac84 49->59 77 56aaf4b-56aaf50 58->77 78 56aaee3-56aaee9 58->78 65 56aac86-56aac94 call 56aa0e8 59->65 66 56aac95-56aaca4 59->66 71 56aacc9-56aacea 66->71 72 56aaca6-56aacc3 66->72 83 56aad3a-56aad62 71->83 84 56aacec-56aacfd 71->84 72->71 80 56aaf53-56aaf58 77->80 79 56aaeeb-56aaefd 78->79 78->80 79->77 88 56aaf5a-56aaf6d 80->88 89 56aaf6f-56aaf95 GetCurrentThreadId 80->89 116 56aad65 call 56aafb8 83->116 117 56aad65 call 56ab0f0 83->117 90 56aacff-56aad17 call 56aa0f8 84->90 91 56aad2c-56aad30 84->91 95 56aafa5-56aafb2 88->95 92 56aaf9e 89->92 93 56aaf97-56aaf9d 89->93 104 56aad19-56aad1a 90->104 105 56aad1c-56aad2a 90->105 91->83 92->95 93->92 100 56aad68-56aad8d 108 56aad8f-56aada4 100->108 109 56aadd3 100->109 104->105 105->90 105->91 108->109 111 56aada6-56aadc9 108->111 109->48 111->109 115 56aadcb 111->115 115->109 116->100 117->100
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1628688585.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_56a0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f94b41ec5d1836906dd99c6ad04fef96e18ab21f0b373a1fffe9f796b4fc5d69
                                  • Instruction ID: 21925fcb935e8c7db1a41357ac79d8601a4b9537c8e548b589bd65c851dda2e6
                                  • Opcode Fuzzy Hash: f94b41ec5d1836906dd99c6ad04fef96e18ab21f0b373a1fffe9f796b4fc5d69
                                  • Instruction Fuzzy Hash: EA812B36B002188FDB14EFA4C554AAEB7F2FF88215F2444AAD506AB750CB35ED45CF61
                                  Function 012FAEB8 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 118 12faeb8-12faed7 119 12faed9-12faee6 call 12fa240 118->119 120 12faf03-12faf07 118->120 126 12faefc 119->126 127 12faee8 119->127 122 12faf1b-12faf5c 120->122 123 12faf09-12faf13 120->123 129 12faf5e-12faf66 122->129 130 12faf69-12faf77 122->130 123->122 126->120 174 12faeee call 12fb160 127->174 175 12faeee call 12fb150 127->175 129->130 131 12faf9b-12faf9d 130->131 132 12faf79-12faf7e 130->132 137 12fafa0-12fafa7 131->137 134 12faf89 132->134 135 12faf80-12faf87 call 12fa24c 132->135 133 12faef4-12faef6 133->126 136 12fb038-12fb0f8 133->136 139 12faf8b-12faf99 134->139 135->139 169 12fb0fa-12fb0fd 136->169 170 12fb100-12fb12b GetModuleHandleW 136->170 140 12fafa9-12fafb1 137->140 141 12fafb4-12fafbb 137->141 139->137 140->141 144 12fafbd-12fafc5 141->144 145 12fafc8-12fafd1 call 12fa25c 141->145 144->145 149 12fafde-12fafe3 145->149 150 12fafd3-12fafdb 145->150 151 12fafe5-12fafec 149->151 152 12fb001-12fb00e 149->152 150->149 151->152 154 12fafee-12faffe call 12fa26c call 12fa27c 151->154 159 12fb031-12fb037 152->159 160 12fb010-12fb02e 152->160 154->152 160->159 169->170 171 12fb12d-12fb133 170->171 172 12fb134-12fb148 170->172 171->172 174->133 175->133
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 012FB11E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622694853.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 7971f80254f3ba7f1f946896e353954fa1c0808c8a9c04316c30b22ccf90cee5
                                  • Instruction ID: a69432b2219dbf4fd149e699453a6bbf1bbfea6b528e17ffe6859dee95a5b25d
                                  • Opcode Fuzzy Hash: 7971f80254f3ba7f1f946896e353954fa1c0808c8a9c04316c30b22ccf90cee5
                                  • Instruction Fuzzy Hash: DD811670A10B468FDB24DF29D44475ABBF1FF88700F008A2DD69ADBA50D775E845CB91
                                  Function 0757A290 Relevance: 1.6, APIs: 1, Instructions: 109timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 176 757a290-757a29c 177 757a22e-757a243 176->177 178 757a29e-757a2b6 176->178 179 757a245-757a248 177->179 180 757a24d-757a26a SetTimer 177->180 185 757a353-757a357 178->185 186 757a2bc-757a2cd 178->186 179->180 182 757a273-757a287 180->182 183 757a26c-757a272 180->183 183->182 189 757a2cf-757a2d8 186->189 190 757a2da 186->190 191 757a2dc-757a2e1 189->191 190->191 192 757a2e3-757a2e6 191->192 193 757a358-757a3d9 191->193 194 757a2f2-757a314 192->194 195 757a2e8-757a2eb 192->195 211 757a3e6-757a408 193->211 212 757a3db-757a3e5 193->212 198 757a325-757a34e 194->198 206 757a316-757a31f 194->206 195->194 196 757a2ed-757a2f0 195->196 196->194 196->198 198->185 206->198 214 757a416-757a41e 211->214 215 757a40a-757a40c 211->215 215->214
                                  APIs
                                  • SetTimer.USER32(?,01326428,?,?,?,?,?,?,0757A0B0,00000000,00000000,?), ref: 0757A25D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1629883790.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7570000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: Timer
                                  • String ID:
                                  • API String ID: 2870079774-0
                                  • Opcode ID: cc79770478dd0529030d1be942f79374b17ce7983093a0737500a73c814d6df7
                                  • Instruction ID: 4dbaa2d46dcd345d1fcd78419c11d5f98067a13f3613ee059b7f00bb12d5ca7f
                                  • Opcode Fuzzy Hash: cc79770478dd0529030d1be942f79374b17ce7983093a0737500a73c814d6df7
                                  • Instruction Fuzzy Hash: 8F31E3B1A042458FCB149F6DE454AEEBFE5EF86310F1980ABD409DB3A2C676DC45CB90
                                  Function 012F591C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 216 12f591c-12f59e9 CreateActCtxA 218 12f59eb-12f59f1 216->218 219 12f59f2-12f5a4c 216->219 218->219 227 12f5a4e-12f5a51 219->227 228 12f5a5b-12f5a5f 219->228 227->228 229 12f5a61-12f5a6d 228->229 230 12f5a70 228->230 229->230 232 12f5a71 230->232 232->232
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 012F59D9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622694853.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 458b688ad107cf9c54cf921a182ffce5de00c978287c00601b3eb553d887f29d
                                  • Instruction ID: a34cd4d5d017373293e675b1de9e21b7765fccbf2f73da3f292b3fa7abba7245
                                  • Opcode Fuzzy Hash: 458b688ad107cf9c54cf921a182ffce5de00c978287c00601b3eb553d887f29d
                                  • Instruction Fuzzy Hash: 4D41F2B1C00719CFDB24CFA9C884BDEBBB1BF85704F20816AD509AB251DB755949CF90
                                  Function 012F4514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 233 12f4514-12f59e9 CreateActCtxA 236 12f59eb-12f59f1 233->236 237 12f59f2-12f5a4c 233->237 236->237 245 12f5a4e-12f5a51 237->245 246 12f5a5b-12f5a5f 237->246 245->246 247 12f5a61-12f5a6d 246->247 248 12f5a70 246->248 247->248 250 12f5a71 248->250 250->250
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 012F59D9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622694853.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: c0ace2de714af8022fe04baf0bdf4acc18dc6498eb165e3cbd9482ef4da24a64
                                  • Instruction ID: bb24416a799247e89f39dc4271af932575a7f10631a70c92a571149f466cebb3
                                  • Opcode Fuzzy Hash: c0ace2de714af8022fe04baf0bdf4acc18dc6498eb165e3cbd9482ef4da24a64
                                  • Instruction Fuzzy Hash: 6641DF70C0071DCFDB24DFA9C844B9EBBB1BF49704F20816AD508AB251DB756945CF90
                                  Function 056A51FC Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 251 56a51fc-56a67ec 253 56a67ee-56a67f4 251->253 254 56a67f7-56a6806 251->254 253->254 255 56a680b-56a6844 DrawTextExW 254->255 256 56a6808 254->256 257 56a684d-56a686a 255->257 258 56a6846-56a684c 255->258 256->255 258->257
                                  APIs
                                  • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,056A6785,?,?), ref: 056A6837
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1628688585.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_56a0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: DrawText
                                  • String ID:
                                  • API String ID: 2175133113-0
                                  • Opcode ID: 8f450b33e3e0a9a5c6101906f0bb1ec5a5c6bad1ec4e4c8b08df2a8c2175e4ca
                                  • Instruction ID: 528c86a8f47d108fb69fbe0d3174054796369b8433ef7fbb25392ae100687b79
                                  • Opcode Fuzzy Hash: 8f450b33e3e0a9a5c6101906f0bb1ec5a5c6bad1ec4e4c8b08df2a8c2175e4ca
                                  • Instruction Fuzzy Hash: A131E2B5D003499FDB10CF9AD884AEEFBF9FB48210F14842AE919A7310D775A940CFA0
                                  Function 056A6799 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 261 56a6799-56a67ec 262 56a67ee-56a67f4 261->262 263 56a67f7-56a6806 261->263 262->263 264 56a680b-56a6844 DrawTextExW 263->264 265 56a6808 263->265 266 56a684d-56a686a 264->266 267 56a6846-56a684c 264->267 265->264 267->266
                                  APIs
                                  • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,056A6785,?,?), ref: 056A6837
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1628688585.00000000056A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056A0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_56a0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: DrawText
                                  • String ID:
                                  • API String ID: 2175133113-0
                                  • Opcode ID: ace51e216853954f2c5b7e70e3337f09924a083e5b3a5322ef278530d65e8d31
                                  • Instruction ID: d4d574acef394954c10c928eda293bb3abcb6fac2de55f667cabdf345a2b8d3c
                                  • Opcode Fuzzy Hash: ace51e216853954f2c5b7e70e3337f09924a083e5b3a5322ef278530d65e8d31
                                  • Instruction Fuzzy Hash: C721E3B6D003099FDB10CF9AD984ADEFBF4BF48220F14842AE819A7710D3749940CFA0
                                  Function 012FD7A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 270 12fd7a0-12fd7a6 271 12fd7a8-12fd83c DuplicateHandle 270->271 272 12fd83e-12fd844 271->272 273 12fd845-12fd862 271->273 272->273
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012FD82F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622694853.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: c425a340f6e8b09dffc650878c37c3e83af7dcbc2ae5515317796c68f1d1276a
                                  • Instruction ID: a168bc048dfbf02af9a4cef6ae357c73b7e52c207bfe8ae3c270ac89c5f3e9da
                                  • Opcode Fuzzy Hash: c425a340f6e8b09dffc650878c37c3e83af7dcbc2ae5515317796c68f1d1276a
                                  • Instruction Fuzzy Hash: 2521F4B58003499FDB10CFAAD884ADEBFF8EB48710F14802AE958A3310D374A941CF64
                                  Function 012FD7A8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 276 12fd7a8-12fd83c DuplicateHandle 277 12fd83e-12fd844 276->277 278 12fd845-12fd862 276->278 277->278
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 012FD82F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622694853.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 9b62cd8fcd94720e05205ca1be1a2234d7d25701dc6e7a4c5cc6a8e47b4e8d3e
                                  • Instruction ID: b333a62c3275397d19ce30727864b4c8cd64ebf23c66f1fbc96b7af695b59471
                                  • Opcode Fuzzy Hash: 9b62cd8fcd94720e05205ca1be1a2234d7d25701dc6e7a4c5cc6a8e47b4e8d3e
                                  • Instruction Fuzzy Hash: 3F21E3B59003099FDB10CFAAD884ADEFBF8FB48710F14842AE918A3250D374A941CFA4
                                  Function 0757A1F8 Relevance: 1.6, APIs: 1, Instructions: 50timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 281 757a1f8-757a26a SetTimer 283 757a273-757a287 281->283 284 757a26c-757a272 281->284 284->283
                                  APIs
                                  • SetTimer.USER32(?,01326428,?,?,?,?,?,?,0757A0B0,00000000,00000000,?), ref: 0757A25D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1629883790.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7570000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: Timer
                                  • String ID:
                                  • API String ID: 2870079774-0
                                  • Opcode ID: 38106dbdd2608005d293b09a7aa5a272ace233d3734580ee231bc5c0a858269a
                                  • Instruction ID: 6c588915d27ce161953523b0dc2d43c61fdf09de1aac2194ecfe8228bc3cca42
                                  • Opcode Fuzzy Hash: 38106dbdd2608005d293b09a7aa5a272ace233d3734580ee231bc5c0a858269a
                                  • Instruction Fuzzy Hash: 5A11F5B68003499FDB10DF9AD845BDEBBF8FB48320F10841AE958A7640C375A584CFA5
                                  Function 075788D8 Relevance: 1.5, APIs: 1, Instructions: 47timeCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 292 75788d8-757a26a SetTimer 294 757a273-757a287 292->294 295 757a26c-757a272 292->295 295->294
                                  APIs
                                  • SetTimer.USER32(?,01326428,?,?,?,?,?,?,0757A0B0,00000000,00000000,?), ref: 0757A25D
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1629883790.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7570000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: Timer
                                  • String ID:
                                  • API String ID: 2870079774-0
                                  • Opcode ID: f5b2ba77d6c8ff952e3068576f0c64e3328c92cbb47258a070f93a4129facc50
                                  • Instruction ID: 39045d5646d4d837e4020ecae85c403bcb1b08dcfbd9b441b188d64bdf18edab
                                  • Opcode Fuzzy Hash: f5b2ba77d6c8ff952e3068576f0c64e3328c92cbb47258a070f93a4129facc50
                                  • Instruction Fuzzy Hash: 0911F5B58003499FDB10DF9AD845BDEBBF8FB48310F10845AE518B7240C375A944CFA5
                                  Function 012FB0B8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 286 12fb0b8-12fb0f8 287 12fb0fa-12fb0fd 286->287 288 12fb100-12fb12b GetModuleHandleW 286->288 287->288 289 12fb12d-12fb133 288->289 290 12fb134-12fb148 288->290 289->290
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 012FB11E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622694853.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 9031c48d9358cfc4d3695688948c6a4d76c89a42e5d3945d7dbbeecd927035a1
                                  • Instruction ID: cc9d18acd95c9fea73eed6fae24ada6193b9021954c39ea28ea2d47371195cbc
                                  • Opcode Fuzzy Hash: 9031c48d9358cfc4d3695688948c6a4d76c89a42e5d3945d7dbbeecd927035a1
                                  • Instruction Fuzzy Hash: 011110B5C003498FDB20CF9AC844BDEFBF4AF88720F10842AD918A7210C379A545CFA1
                                  Function 075B4F1A Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 297 75b4f1a-75b4f91 303 75b4f99-75b4f9f 297->303 328 75b4fa2 call 75b8138 303->328 329 75b4fa2 call 75b514e 303->329 330 75b4fa2 call 75b5190 303->330 304 75b4fa8-75b5144 call 75b4ae4 328->304 329->304 330->304
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %*&/)(#$^@!~-_
                                  • API String ID: 0-3325533558
                                  • Opcode ID: 5e41cddbd5956d45f732e8bcda871c06125eb1a40449ceddfbd11b80d620d40b
                                  • Instruction ID: d81296ab8fa3dadb5af27cec5557d5de1ecd10e5afa7c48bae94e26ea01809cc
                                  • Opcode Fuzzy Hash: 5e41cddbd5956d45f732e8bcda871c06125eb1a40449ceddfbd11b80d620d40b
                                  • Instruction Fuzzy Hash: 2F51CD31B00254AFD704ABB4D4556EEBBB2BFC9700F54C9AAD881AB285CF356D09CBC1
                                  Function 075B4F28 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: %*&/)(#$^@!~-_
                                  • API String ID: 0-3325533558
                                  • Opcode ID: 4048681f52bc2313a7b279d3f16a1bf16642dadc9e086ebbc6db42dc12d27eb6
                                  • Instruction ID: f9380591d2cf1d7e3deb455103e914e509baaff2bb956f9dd27a4496ba053b08
                                  • Opcode Fuzzy Hash: 4048681f52bc2313a7b279d3f16a1bf16642dadc9e086ebbc6db42dc12d27eb6
                                  • Instruction Fuzzy Hash: F051AC31B00214ABD704ABB4D455AEEBBB2BBC9700F54C9A9DC856B385CF356D09CBC1
                                  Function 075BE431 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ~so<
                                  • API String ID: 0-823776597
                                  • Opcode ID: ac5690d8a6d165bb00e6bef8125ae6d9c79ea69127a340ae39ee6b3e26108758
                                  • Instruction ID: 16638aed3763dc69c8f4a25f93675addb96b53fa6aed5034867f81343e7b436c
                                  • Opcode Fuzzy Hash: ac5690d8a6d165bb00e6bef8125ae6d9c79ea69127a340ae39ee6b3e26108758
                                  • Instruction Fuzzy Hash: CA4149B4904206CFDB20DF78E2869FD7BF5FB0A312B099525E00A9B251DB39AC45CF41
                                  Function 075BE3ED Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ~so<
                                  • API String ID: 0-823776597
                                  • Opcode ID: 9f1ea216966145d9e1db6e57cceeb0b68910816c9bcbf7d36e7b0404e59240d9
                                  • Instruction ID: 6060265a3be2ba4271b1a1d5f7674c5ec7c2312e329e7afb68ae8bb525a00f34
                                  • Opcode Fuzzy Hash: 9f1ea216966145d9e1db6e57cceeb0b68910816c9bcbf7d36e7b0404e59240d9
                                  • Instruction Fuzzy Hash: A13138B0904206CFDB20DF68E2469EDBBF6FB09316B199425E00A9B351DB39AC49CF41
                                  Function 075BE3BF Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: ~so<
                                  • API String ID: 0-823776597
                                  • Opcode ID: 9e264ebb89284b9b496c4f14dfed688d022d3d0da93d1ff2efa5b1de13cfd760
                                  • Instruction ID: d60f93802237a8666e837b670e1daef0aff7f1f558eab8871cc53ee81a526aa1
                                  • Opcode Fuzzy Hash: 9e264ebb89284b9b496c4f14dfed688d022d3d0da93d1ff2efa5b1de13cfd760
                                  • Instruction Fuzzy Hash: A32159B0904206CFDB20EF68E2468FD7BF6FB0A316B199569D00E9B251DB399C45CF41
                                  Function 075BE244 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Hw
                                  • API String ID: 0-2462119908
                                  • Opcode ID: 92812e5cac6028147da2a9c5b37ee9b91af6fb0a174d7e16ab5613e7e4660673
                                  • Instruction ID: d001e78eaad448b016440033fa40e24a114e2e694b90fa6851ae3382e55aaff8
                                  • Opcode Fuzzy Hash: 92812e5cac6028147da2a9c5b37ee9b91af6fb0a174d7e16ab5613e7e4660673
                                  • Instruction Fuzzy Hash: 38114CB0E04209CFDB24DFB4D5964ECBBB5FB89201B249129C41AE7785DB345C06DF50
                                  Function 075BE25D Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: Hw
                                  • API String ID: 0-2462119908
                                  • Opcode ID: f057b24d41fe3ae95405698c1bbe76c7e38b26f6deec331f7768d86be5f0999f
                                  • Instruction ID: 54133cf9f8a58e793b5158560c15641737fcf5cc606829a99da72f61d8cbe1bb
                                  • Opcode Fuzzy Hash: f057b24d41fe3ae95405698c1bbe76c7e38b26f6deec331f7768d86be5f0999f
                                  • Instruction Fuzzy Hash: DD0125B0A00209DFDB10DFB8D5564ECBBB6FB89201B209229D81AEB795DB345C46DF50
                                  Function 075B30F0 Relevance: .3, Instructions: 332COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1e35bf19892b7bca0c75c0efde12de0a0a30f5837960f852d7d6872fca92ec89
                                  • Instruction ID: ed7652dd57b718f7dfe2916453f1ee18b48ba48f0de8e3ef454140153d9e1d04
                                  • Opcode Fuzzy Hash: 1e35bf19892b7bca0c75c0efde12de0a0a30f5837960f852d7d6872fca92ec89
                                  • Instruction Fuzzy Hash: D4F1CB71D1061ACBCF10DFA8C8946EDB7B5FF89300F1086A9D54977254EB70AA85CF90
                                  Function 075B30ED Relevance: .3, Instructions: 302COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 26c4dc8f87c0eea3132f530bd721a9056a10c91e21db93ff56cfc2b18afa6c34
                                  • Instruction ID: 041762ecebf067820d7c10116f98ca94910c072259ef8a5011bcb66737b3d8be
                                  • Opcode Fuzzy Hash: 26c4dc8f87c0eea3132f530bd721a9056a10c91e21db93ff56cfc2b18afa6c34
                                  • Instruction Fuzzy Hash: B8E1CA75D1061ACBCF10DFA8C8945EDB7B5FF89300F1086AAE509B7254EB70AA85CF90
                                  Function 075B2380 Relevance: .2, Instructions: 207COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d19ada7ed9fe46a66edda9df77c14a0baabbca062597adc6681f9088227c5f55
                                  • Instruction ID: 785ef5501d080e99eb632e5b0c17603d0ef410227516992f37f7a9840ff18a85
                                  • Opcode Fuzzy Hash: d19ada7ed9fe46a66edda9df77c14a0baabbca062597adc6681f9088227c5f55
                                  • Instruction Fuzzy Hash: F981A2B0E1021ADFCB21EF68D4986FDBBB0FF45310F11446AD446AB2A4EB34D965CB61
                                  Function 075B7B5A Relevance: .2, Instructions: 198COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0f54c3c13cb71f0202bcb6c2fe5d9285ed78ed815f85c3732a3a58bf4f8baf29
                                  • Instruction ID: 2afe7ab5b18b1b29ccce05dc4021fd7f07436a9304d8ca0349bd7bec1bc28317
                                  • Opcode Fuzzy Hash: 0f54c3c13cb71f0202bcb6c2fe5d9285ed78ed815f85c3732a3a58bf4f8baf29
                                  • Instruction Fuzzy Hash: C6814DB0A142598FDB24CBA5C490AFEBBF1FFC9300F5489ABD455AB285D7349C42CB60
                                  Function 075B7B68 Relevance: .2, Instructions: 191COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 514f6d2ab8d2aeab8ead5bd44eb8ddcc7a626fe9ddf8c7e6408081a2e15c75d7
                                  • Instruction ID: 4fac944dab2856cc944e0bd36d8a282355ad2327951e30daccde0a96546656e2
                                  • Opcode Fuzzy Hash: 514f6d2ab8d2aeab8ead5bd44eb8ddcc7a626fe9ddf8c7e6408081a2e15c75d7
                                  • Instruction Fuzzy Hash: B9716EB0A142598FCB24DBA5C490AFEBBF1FFC9300F54896AD455AB385E7349C42CB50
                                  Function 075BFC40 Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e0c46349282bedabea4ebb3df2e122d4aa098702d6d447def211d0efeb4f78dc
                                  • Instruction ID: 1f399c284550d24df35b5f11c4218b63bda396aac56fd60d57ef9af1261c4df9
                                  • Opcode Fuzzy Hash: e0c46349282bedabea4ebb3df2e122d4aa098702d6d447def211d0efeb4f78dc
                                  • Instruction Fuzzy Hash: CD51A3B1A002098FDF65AFB8D8552FE7BB2BB89250F54056ED806A7381DB359D028791
                                  Function 075B73F7 Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35b9d83b21af72e23d06dca2f4c12ece582c74e8f1ab60d81d7c056f7ceaff6b
                                  • Instruction ID: 16cdeab9f2fa321537fc30273b74bc7d05216ca7211918ac9c245b23241427fa
                                  • Opcode Fuzzy Hash: 35b9d83b21af72e23d06dca2f4c12ece582c74e8f1ab60d81d7c056f7ceaff6b
                                  • Instruction Fuzzy Hash: 5951C3B0E046099BDB14DBA5C8517FEBBB2FBC9300F108927E955AB3D4CB349842CB91
                                  Function 075B0338 Relevance: .1, Instructions: 145COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f825a30f7e0b945635dcf3e3f01532f8baae7d88286ee65f4f62ae1a2fd41d6
                                  • Instruction ID: 76f791b0a59cd197987772f2856b50f778ec0019c7775936344685c1b0833ccf
                                  • Opcode Fuzzy Hash: 5f825a30f7e0b945635dcf3e3f01532f8baae7d88286ee65f4f62ae1a2fd41d6
                                  • Instruction Fuzzy Hash: FD5143B0E01209DFCB25DF68D5586EEBBF2FF89215F14846AD409AB391DB318C46CB50
                                  Function 075B41C8 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 660be3669c6b7e80c1a49ea8aa95d9dfbd213d8c02b070377bbec768567739ed
                                  • Instruction ID: f56fa58bcae48a6f19e8f414f2f660007fd205c3cb8b072fc33002d08cc42d13
                                  • Opcode Fuzzy Hash: 660be3669c6b7e80c1a49ea8aa95d9dfbd213d8c02b070377bbec768567739ed
                                  • Instruction Fuzzy Hash: BB418CB0B01246DBDB38DFA4D948AFEB7B2BF89201F148469E406E7341DA31C845CB51
                                  Function 075B3E68 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e141456fe7d8937dad4f357e2fe815dd7fc2978fb0b2cdd15cd5a433d0fc89c1
                                  • Instruction ID: f9303a491347847494646556f2415b31469d770193f02a15643d1726936d0078
                                  • Opcode Fuzzy Hash: e141456fe7d8937dad4f357e2fe815dd7fc2978fb0b2cdd15cd5a433d0fc89c1
                                  • Instruction Fuzzy Hash: 3C518171B10609DFCB00EFA8D4849EDF7B5FF89300F10856AE515AB321EB70A949CB91
                                  Function 075BB528 Relevance: .1, Instructions: 126COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 618c8ce410a0e5e6175f1abddf08c0537e17915c7370acd582c16fd11343d667
                                  • Instruction ID: 046ca12c734b57e7ff5a6e9128027927875cac83946a12b9a8754e7dca64763a
                                  • Opcode Fuzzy Hash: 618c8ce410a0e5e6175f1abddf08c0537e17915c7370acd582c16fd11343d667
                                  • Instruction Fuzzy Hash: A741F3F4E082098BDB18CFAAC5806FEBBF6FB8D301F14942AD419A6291E7B45D41CB55
                                  Function 075B2170 Relevance: .1, Instructions: 124COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52214d43c4798356115a7ad28a2d918a45bd1a272a0d56d551723b6c2e3b6cc4
                                  • Instruction ID: 17bf5812e081734faa27f5e8474c0a33921ac59fc134d6d06a39545bfc63bc44
                                  • Opcode Fuzzy Hash: 52214d43c4798356115a7ad28a2d918a45bd1a272a0d56d551723b6c2e3b6cc4
                                  • Instruction Fuzzy Hash: D5412B71A11209DFDB14DFA9D854AEDBBB6BF89310F14856AE401EB3A0DB31E841CB60
                                  Function 075B0328 Relevance: .1, Instructions: 118COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 105527d260aa29e761230ac862bf0220ecb40a564ad736483aa53375c0e17f03
                                  • Instruction ID: 4da590ae0b60907af857e9acea0f07a72e4c6070600f35290984c868469849c2
                                  • Opcode Fuzzy Hash: 105527d260aa29e761230ac862bf0220ecb40a564ad736483aa53375c0e17f03
                                  • Instruction Fuzzy Hash: 494142B5F012059FCB24DF69D5586EEBBF2BF88211F14846AD409AB391DB718C46CB50
                                  Function 075B0040 Relevance: .1, Instructions: 116COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 971cb6c9f9518de0565ee98b30a9d45dd6409b664d0813b5f722267325cb1835
                                  • Instruction ID: e78993658afb43abbb197740aaea4facc280d04d3574057138cfd33db73d142c
                                  • Opcode Fuzzy Hash: 971cb6c9f9518de0565ee98b30a9d45dd6409b664d0813b5f722267325cb1835
                                  • Instruction Fuzzy Hash: 39416FB1600209AFDB18DF65C8547FEB6E6FFC8200F108529E41AAB390DB749D45CB90
                                  Function 075B2180 Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 93be9fa14f2ef9ab85d720f488f8fdee7d2e861883ec204ba32ee98301f03f8f
                                  • Instruction ID: e7c2ae50a83dafea7506a08295638afc297ef4c424b54361bf600ce034da6ce6
                                  • Opcode Fuzzy Hash: 93be9fa14f2ef9ab85d720f488f8fdee7d2e861883ec204ba32ee98301f03f8f
                                  • Instruction Fuzzy Hash: D7412970A112099FDB14DFA9D854AEDBBB6BF89310F14856AE401FB3A0DB31E941CB90
                                  Function 075BB51A Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4e6a49c11c528f4eda19b0f2e87e8c2c7c3b07623f1201b0ff9d401cca5354c
                                  • Instruction ID: 77064aec18780ead73f9bc2c415ce70666b1a562955991326da4dc1f05ac60fb
                                  • Opcode Fuzzy Hash: e4e6a49c11c528f4eda19b0f2e87e8c2c7c3b07623f1201b0ff9d401cca5354c
                                  • Instruction Fuzzy Hash: 4E3138F4D092488FDB18CFAAD5406FEBBF6FB8E301F14D06AD419A2291E77409018B55
                                  Function 075B514E Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c2f4bd4ac31efb5964e18486ec13cf07a1ac4767cad1eaec027be7e59e2fde77
                                  • Instruction ID: 3921985669f0ba941ef33b1571fc669d257005343439d056f01f2694b37b508d
                                  • Opcode Fuzzy Hash: c2f4bd4ac31efb5964e18486ec13cf07a1ac4767cad1eaec027be7e59e2fde77
                                  • Instruction Fuzzy Hash: 5A31D2B471E3844FD7168B7498293B93FE5AB87211F0944ABE482CB2D3DD294C05C761
                                  Function 075B4018 Relevance: .1, Instructions: 100COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5668d37946c570c31244efff18416625e8fd864a101445ef2074e2d403faa717
                                  • Instruction ID: a8f308cbbca0db755548cc453ce7dcb67f0588612ff481e604da31f42fbf3abb
                                  • Opcode Fuzzy Hash: 5668d37946c570c31244efff18416625e8fd864a101445ef2074e2d403faa717
                                  • Instruction Fuzzy Hash: 063172B1E10219EFCB24EFA8D4445EEBBB6FFC8210F10816AE505AB254DB719C45CBD1
                                  Function 075B41B7 Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 439506a6a86f3385afb0b3b680d23b3472a4f1a879f399e7c02c20d5c6d7c80b
                                  • Instruction ID: 2c7d0d71bb1a12eb674ca365f7051a00aa1bb34fe5ac5450ad2f1545a764afb4
                                  • Opcode Fuzzy Hash: 439506a6a86f3385afb0b3b680d23b3472a4f1a879f399e7c02c20d5c6d7c80b
                                  • Instruction Fuzzy Hash: 40319EB5A012829FDB38EF64D948AFEB7F6BF89310F14407AE406D3352CA368845DB51
                                  Function 075BAD7F Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b50252faa5ed213bbf276fe6946d73a1382f9a2ea04611faa8f1298b31026c6
                                  • Instruction ID: 418fa1f4b6fc502ca332ff7cf91fe29868b1b08df77c9b4ddc6e79407581c1a3
                                  • Opcode Fuzzy Hash: 3b50252faa5ed213bbf276fe6946d73a1382f9a2ea04611faa8f1298b31026c6
                                  • Instruction Fuzzy Hash: 7231CFB4E14209CFDB58CFA9C480AFDBBB5FF89301F60942AE91AAB315D7315945CB50
                                  Function 075B8360 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e0715ed2d3a0ba0ee944939b69188a2cce1cfce169b0932ddee42c104ccc7af9
                                  • Instruction ID: 44b5fedcdd00a38e56320a001c6d05d60d0984bbb0c383e929e9c986412fa8c8
                                  • Opcode Fuzzy Hash: e0715ed2d3a0ba0ee944939b69188a2cce1cfce169b0932ddee42c104ccc7af9
                                  • Instruction Fuzzy Hash: 1E31E4B0D05249CFC724CB69C8406FEBBF9FB45305F1485ABD566E7241E338A945CBA2
                                  Function 075BC765 Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35f8988445f49108777e7713eefe2de3e282402d97fca5d407fa861991e21007
                                  • Instruction ID: f6fde82561ca863eeb23116c288982791fbdcfdbd0be74ffc0ce315e21bf3305
                                  • Opcode Fuzzy Hash: 35f8988445f49108777e7713eefe2de3e282402d97fca5d407fa861991e21007
                                  • Instruction Fuzzy Hash: EE31A0B1E1A214DFD719CF66E5404FDBBBABF8E300F10D46AE4099B211DB359905CB64
                                  Function 075B5190 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e265d7bccc5373874f83924097999317a2206d401208757ab908bc6697660eaf
                                  • Instruction ID: c3b22554027eeba28cf1c45845cb932af080bcf0a4a2d540d3a630daf07fc151
                                  • Opcode Fuzzy Hash: e265d7bccc5373874f83924097999317a2206d401208757ab908bc6697660eaf
                                  • Instruction Fuzzy Hash: 9121D3707192088FD7189BB8E8193BA7BEAFBC9211F14452AF406C7395EE358C02C791
                                  Function 075B0088 Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e09105c6a05d32cb365cd633c310daf8e4ce019f4eea44f5e069d71f9a4490d9
                                  • Instruction ID: bbd1771ca58f17f24261ffebd7accb66420abbd51738c17fe72e609c5707255e
                                  • Opcode Fuzzy Hash: e09105c6a05d32cb365cd633c310daf8e4ce019f4eea44f5e069d71f9a4490d9
                                  • Instruction Fuzzy Hash: D5314BB460020AEFDB25DF64C898BEEBBB6FF88700F10841DE41A97290DB759D05CB90
                                  Function 075BC7DD Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6bab826c2825dd966bcd1a3980b8e1e20f2bd720af99787934c6c83dd9b6a76
                                  • Instruction ID: ccf8e2dc98f51d6a8d5918a1460a3f2918f96a81d443381f19f278a127648f33
                                  • Opcode Fuzzy Hash: b6bab826c2825dd966bcd1a3980b8e1e20f2bd720af99787934c6c83dd9b6a76
                                  • Instruction Fuzzy Hash: 62319CB0929204DFD724CF65D5808FDBBBABF8F301B119959E409AB312D731A945CFA8
                                  Function 075BFEB0 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 30c31ca13a07a77f76e9c06166ebce308b52b48917ed9e9dfee3292afb397378
                                  • Instruction ID: 4c64bd41abd8c26a28b9dd02a5cb79e5593692afba9923b779ee636c11707335
                                  • Opcode Fuzzy Hash: 30c31ca13a07a77f76e9c06166ebce308b52b48917ed9e9dfee3292afb397378
                                  • Instruction Fuzzy Hash: 6B216DB0A102089BDB14DBB8E8486FDBBB2FF89210F50852AD502A72C4CB345D45CB61
                                  Function 075B2F4A Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4471dad2382d621733f892f3b04116375e1539c264e2e53352b2c65ab760a109
                                  • Instruction ID: 5f3fa3710bfb5225c1e8cab74c2e7c7c87f4966260418b988e1411dc25de18e1
                                  • Opcode Fuzzy Hash: 4471dad2382d621733f892f3b04116375e1539c264e2e53352b2c65ab760a109
                                  • Instruction Fuzzy Hash: 9A218375B042058FCF54DF68D8948EEBBB5FF89200B10866AE905E7355EB30EE45CBA0
                                  Function 0129D4C4 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622020752.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_129d000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4d4431da449de2551a76c78a513d5ff1f9222a40b25b74ccf073e64d2358504e
                                  • Instruction ID: 87114b14fb67a2a2e7f93d4ed3de966e7b502833af451d76ed4b8329f4dede2b
                                  • Opcode Fuzzy Hash: 4d4431da449de2551a76c78a513d5ff1f9222a40b25b74ccf073e64d2358504e
                                  • Instruction Fuzzy Hash: 9D213371514208DFDF01DF58E9C0B26BF61FB88328F20C169E9090B256C336D406DBA2
                                  Function 012AD01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622134291.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12ad000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4ad78723446a74a078a8a4b40b3ed748e2f5e9a287d8960326b1cbce025d8649
                                  • Instruction ID: 755d27f6ae0e627b912625a61022cdd93726c45268798fdd3854cb1c6203a01a
                                  • Opcode Fuzzy Hash: 4ad78723446a74a078a8a4b40b3ed748e2f5e9a287d8960326b1cbce025d8649
                                  • Instruction Fuzzy Hash: 0D214275294308DFDB10DF64D884B12BB61FB88314F60C56DD90A0B682C37AD407CA62
                                  Function 012AD1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622134291.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12ad000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c1fbe41b1bb6289bab3cfe3c60f8c47163dc225e107ae11edd62e640f4612958
                                  • Instruction ID: da7196f26732d325d548fba7e04464c3b94ddc78d0482e42d4e727b1717bcc77
                                  • Opcode Fuzzy Hash: c1fbe41b1bb6289bab3cfe3c60f8c47163dc225e107ae11edd62e640f4612958
                                  • Instruction Fuzzy Hash: D4213475614308EFEB01DF94D9C4B26BBA1FB84324F60C66DE9094B693C37AD806CB61
                                  Function 075B6140 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f09afe2ed2fe6bdcc1a3c1bcd5889e5f0c30d95be239797e00c50b217e6d184
                                  • Instruction ID: e5dad53bfd5d8010ae6fe09f5569ba658210b10dd9988a89de3cd80eb36a2d36
                                  • Opcode Fuzzy Hash: 3f09afe2ed2fe6bdcc1a3c1bcd5889e5f0c30d95be239797e00c50b217e6d184
                                  • Instruction Fuzzy Hash: 2D212174B10209DFDB689FB8D855AFE76AAFBC9611B10083AD506D7381DE318D418BD2
                                  Function 075B2F58 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5f53cc37f92be59eec6337b346647f086a192f7eb8331b719178b472f2b7cc3b
                                  • Instruction ID: 1e637d8dd68d69961ed2e9d82bc2198ea4a76b7cc2525250ed72d0b89add80d9
                                  • Opcode Fuzzy Hash: 5f53cc37f92be59eec6337b346647f086a192f7eb8331b719178b472f2b7cc3b
                                  • Instruction Fuzzy Hash: 25212C75A1060A8FCF54EF69C8848EEF7B5FF89200B108669D905A7245EB30A945CBA0
                                  Function 075BB6B9 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 62b9aacb5d6312e45375622d5104400eedbcd3a1a69d78e419943d95e5031f7b
                                  • Instruction ID: 6932490b985efa04dce555b31f52332c20f2947d336a5982d3de9951c14b61ba
                                  • Opcode Fuzzy Hash: 62b9aacb5d6312e45375622d5104400eedbcd3a1a69d78e419943d95e5031f7b
                                  • Instruction Fuzzy Hash: 5621E3F4A09209CFCB50CFA9D281AEEBBF5BB4A300F205096D809A7751D7749A41CBA1
                                  Function 075B0258 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 048edebd65ae4bd99068b602be79a161176d4eee133e564b1932a2bb1ae6ae1c
                                  • Instruction ID: ca048f218295f46ccf5d12ab4f7c9dc7c00f24896e5898c589cefd5fc7e669b4
                                  • Opcode Fuzzy Hash: 048edebd65ae4bd99068b602be79a161176d4eee133e564b1932a2bb1ae6ae1c
                                  • Instruction Fuzzy Hash: E611D6B42003168BE735DA2AD4847FBF756FFC0211F04882AD80A466A8DF31D886C751
                                  Function 075B8188 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c1b58e69e150b3252ff3f0242a6be8d2161242c11c020d3004c846051ff63e1
                                  • Instruction ID: fa88044378d9841857c71e818d6513f931c9d3871d207e38363eb0ff989f2329
                                  • Opcode Fuzzy Hash: 7c1b58e69e150b3252ff3f0242a6be8d2161242c11c020d3004c846051ff63e1
                                  • Instruction Fuzzy Hash: 2321DEB0A25315CBD7248FA9CD406FAFBB8FBC6201F006477E225E6281D230E944C7D2
                                  Function 075B3700 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 56bce4249270253eeebb274e9f64e3945267ef2d21af2eaed740ac68cb35e543
                                  • Instruction ID: b63345efaf83ae6688c44689bdd5f24ab861a24a204f140d66c24e0fe2e3c91d
                                  • Opcode Fuzzy Hash: 56bce4249270253eeebb274e9f64e3945267ef2d21af2eaed740ac68cb35e543
                                  • Instruction Fuzzy Hash: F311E332B047048FCB14AA79A8644EEBBA6FFC2251710453FE505EB240EF25D94587D1
                                  Function 075B8179 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e90b8f490bdb66e5a6ac551fba18bb713a580854c1d91461c15f14baf514c60
                                  • Instruction ID: abcc84f9561c2abcd8232eca32161adffd432efcbc4b073960bdeaffd8849d6f
                                  • Opcode Fuzzy Hash: 2e90b8f490bdb66e5a6ac551fba18bb713a580854c1d91461c15f14baf514c60
                                  • Instruction Fuzzy Hash: 0411E1B1919615CBD7248FA9DC806FAF7B9FBC5301F002537E225A6281D334E944C7D1
                                  Function 075BE168 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 130b5d0895365880efd1c1dd931303e746cc9165cebf24a65106a77d29d2dcf3
                                  • Instruction ID: 5edceab297039179cacebe1c81a0fa07dc1a685ac581b0bef27d1053668f86cd
                                  • Opcode Fuzzy Hash: 130b5d0895365880efd1c1dd931303e746cc9165cebf24a65106a77d29d2dcf3
                                  • Instruction Fuzzy Hash: D2213CB0900219DFDB60CF64D955BE8B7B6FB89300F1080A6D419E7384DB345E85CF61
                                  Function 075B6130 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7ce0460f287e6ae08d5a3ccc60497374564ee7bfec1cb2e5518048034a17e325
                                  • Instruction ID: 00e2eaf765412f207f632629f506ac39e8bad3c180d3043c52aa645d15003f33
                                  • Opcode Fuzzy Hash: 7ce0460f287e6ae08d5a3ccc60497374564ee7bfec1cb2e5518048034a17e325
                                  • Instruction Fuzzy Hash: 9B1133B4B14244DFDB549FB89951AFE77B6FBC9211B14083AD106D7282EE318D058B92
                                  Function 012AD006 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622134291.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12ad000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cda7d082e6982578e37d230e6b10d86e019b3e08719984653137ccbe586dc101
                                  • Instruction ID: 4dbf17022cdcd881387b6f0a8b62b53f5ccea30a6f77235cdb82d5c126aab163
                                  • Opcode Fuzzy Hash: cda7d082e6982578e37d230e6b10d86e019b3e08719984653137ccbe586dc101
                                  • Instruction Fuzzy Hash: 9521B0755483849FCB02CF24D994711BF71EB46314F28C5DAD9898F6A7C33A980ACB62
                                  Function 075BACF2 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 878cac6b02f95a102818737d774e3f930352a96c4b070620e0c4f873a30d81c6
                                  • Instruction ID: 0b1819c6cb8a2d5d5352c5ec782077254a5d4f045e1fdf3509866c68a60c146c
                                  • Opcode Fuzzy Hash: 878cac6b02f95a102818737d774e3f930352a96c4b070620e0c4f873a30d81c6
                                  • Instruction Fuzzy Hash: E62108B0D0435C8BDB19CFAAC8556EEFBB6BF89300F14C02AC405AB254EB74084ACB91
                                  Function 075BF238 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 40402416b54fad3b20f388b7a1c6ad8c7c47d931d8cf8f0b7e49d0c5c62a89d8
                                  • Instruction ID: daebbbeb784cb4f0bc4e72f1a24b9d364a9048bcd5fcd003cebcd02565de5dc0
                                  • Opcode Fuzzy Hash: 40402416b54fad3b20f388b7a1c6ad8c7c47d931d8cf8f0b7e49d0c5c62a89d8
                                  • Instruction Fuzzy Hash: 0A11A3B8F002059BDB289BB99C047FBBAA6FFC5610F04852AE806D73C0EB358C0087D0
                                  Function 075BBFD4 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: abd709cab542d3df1efd6718e1a29239555e288bd18b14d946d7a2e04273d5ac
                                  • Instruction ID: 3b42199b19586acbe7613050f2c662b8ccf93172ef5d021758591c51c88aaa22
                                  • Opcode Fuzzy Hash: abd709cab542d3df1efd6718e1a29239555e288bd18b14d946d7a2e04273d5ac
                                  • Instruction Fuzzy Hash: F021D5B4914118CFCB24CF94C684AFDB7B6FB4E311F605995D44AB7244C731AD86CE24
                                  Function 075B54B9 Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 238cb4f0a39f682bc073f191dcdf906718a7f5ba2c43833b8806aa455fc1422f
                                  • Instruction ID: 86f5a3308b28d1596bc73c76aa2518f0a214d66c22a21039c4353bc4df112a49
                                  • Opcode Fuzzy Hash: 238cb4f0a39f682bc073f191dcdf906718a7f5ba2c43833b8806aa455fc1422f
                                  • Instruction Fuzzy Hash: 0411FEB151D2A58FD3394728EC806F6BBA9FB4B222F254573F055CB5C2F625C86183A1
                                  Function 075BBD38 Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 369707d95bd910558f5109a45c6d838d8568f634eb7d9b3346478cb670d883d2
                                  • Instruction ID: a383f8911db38de2e3d83ad864c9ed9a1ec197f7fff183d7015103c74b24d8d6
                                  • Opcode Fuzzy Hash: 369707d95bd910558f5109a45c6d838d8568f634eb7d9b3346478cb670d883d2
                                  • Instruction Fuzzy Hash: F22108B1D046588BEB18CFA6D9453EEFBF6AFC9300F14C06AD40866254DB75094A8FA0
                                  Function 0129D4BF Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622020752.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_129d000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                  • Instruction ID: 829154f0002a8dda7ab14cc08f25ccbc316d858c832fd47c2be0880955a85b5a
                                  • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                  • Instruction Fuzzy Hash: B911CD76504284CFCF12CF58D5C0B16BF62FB84224F2486A9D9490B256C33AD45ADBA1
                                  Function 075BB771 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8debda07ec2f659f4346649bd4a04c094195cd8a1aa1abcd5a85e9b13d8b138
                                  • Instruction ID: 1be8578d01f54f84da055e0af430be8df9da8a5b43a36da6fa85fe468ccd1f59
                                  • Opcode Fuzzy Hash: d8debda07ec2f659f4346649bd4a04c094195cd8a1aa1abcd5a85e9b13d8b138
                                  • Instruction Fuzzy Hash: 6711E6F4D08209AFDB54DFA9C5809EDBBF9FB89310F1195A6D41897211E3B0AA418B81
                                  Function 075BAD00 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55c962b141d34990ac3dbdc890fbea1b1cc717fc9c07b9b147caba458ef4b986
                                  • Instruction ID: 86cbc02361990b1ccc70c2ef00a2b77d400845fbb8befd717cd185685abf01ca
                                  • Opcode Fuzzy Hash: 55c962b141d34990ac3dbdc890fbea1b1cc717fc9c07b9b147caba458ef4b986
                                  • Instruction Fuzzy Hash: 2111C9B0D1065C8BDB18CFAAC9546EEFBB6BF89300F04C02AC415AB354EB7418068B90
                                  Function 075B25F7 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b6547efca83dcc86fcb38dc33dd5e4bf980b0ec81d54633e916a41a53a7fb5f0
                                  • Instruction ID: 13869ea435750c17fd08ed933bb272653e66ac1980a464c7b06c98a3d3498c0a
                                  • Opcode Fuzzy Hash: b6547efca83dcc86fcb38dc33dd5e4bf980b0ec81d54633e916a41a53a7fb5f0
                                  • Instruction Fuzzy Hash: D7118C70E0015ACFDB05EFA8D8416EEB7B0FF49310F148525C815E7290DB788506CB91
                                  Function 075B0252 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f7c7abc0e56b3ab1f520a60c41dae4595b317d0566e6f0f8af02a2c9963d444
                                  • Instruction ID: a567c699986a9a4952075552d84ac29c31e5f66a8b8b5fdbcc175ff2050af0b2
                                  • Opcode Fuzzy Hash: 9f7c7abc0e56b3ab1f520a60c41dae4595b317d0566e6f0f8af02a2c9963d444
                                  • Instruction Fuzzy Hash: 6401B9B56003164BEB35961AE4957FBBB56FFC0211F148426D80A466D4DF31D486C651
                                  Function 012AD1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622134291.00000000012AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012AD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12ad000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                  • Instruction ID: c9f72b503cccdae0b2d2aa62dfbc2a30ec858996427bc927db9fa8ed58c35965
                                  • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                  • Instruction Fuzzy Hash: 3211BB75504284DFDB02CF54C5C4B15BBA2FB84324F24C6ADD9494B6A7C33AD40ACB61
                                  Function 075B8290 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70334138375b7e170a621627233b1a8f3da43f00fe3e491dc752938f1b7553ca
                                  • Instruction ID: 2fe3de9185767cb6f75e4c4eba45be862dd165bb4d9f0515c901274cb0b22b15
                                  • Opcode Fuzzy Hash: 70334138375b7e170a621627233b1a8f3da43f00fe3e491dc752938f1b7553ca
                                  • Instruction Fuzzy Hash: 3D01D6B0740605DFE7284A258C05BF9B39BBBC5711F559466F502CF2E1DAB6E8118BC1
                                  Function 075BAD6F Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f513b4f6f2828a27c1e6093e2638382887fee5527c4775c9cc821185ab30c268
                                  • Instruction ID: 7948e918e84586e992c3d0dc77e14fd888b18710696abcadea881e0e32f96231
                                  • Opcode Fuzzy Hash: f513b4f6f2828a27c1e6093e2638382887fee5527c4775c9cc821185ab30c268
                                  • Instruction Fuzzy Hash: 64117F75E002098FCF48CFE9C8809EDBBB1FB88300F10812AE919AB355D731A856DF50
                                  Function 075BB780 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b600c466da32bde782689b56e64dfe6d13fd983a6fb0f401286eba30b4f2c81d
                                  • Instruction ID: 0649a9595ddfa1e06afb7b06ed207cc9a49a78143b35faec1cfa0ae21d64a602
                                  • Opcode Fuzzy Hash: b600c466da32bde782689b56e64dfe6d13fd983a6fb0f401286eba30b4f2c81d
                                  • Instruction Fuzzy Hash: 6B11D3F4D08209DFCB54DFADC5809FDBBF9FF89300F1099959408A7205E3B0AA418B80
                                  Function 075BCBAF Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9647e5ddee1514544dfdf8f03b6d0b53d5a96c529c48342d22778e7508ba7925
                                  • Instruction ID: 9225fd28342d9cfbba4f848978aadbda57b1ddfd45a3a8efd492b6bd53f75ad3
                                  • Opcode Fuzzy Hash: 9647e5ddee1514544dfdf8f03b6d0b53d5a96c529c48342d22778e7508ba7925
                                  • Instruction Fuzzy Hash: 13018075908204EFC715DFA8D695AEDBBF4FB4A200F55C0D5D4089B352D7349E04DB50
                                  Function 075BBD48 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8f3058e6cc46564a6990339aeabbc21df04645ac477a2e9aa3864d684d68528
                                  • Instruction ID: 233b8233f4c33f3994ab33836562fcc1948257694634fe80edbe324223df596e
                                  • Opcode Fuzzy Hash: b8f3058e6cc46564a6990339aeabbc21df04645ac477a2e9aa3864d684d68528
                                  • Instruction Fuzzy Hash: 3A11C8B1D006189BEB28CF9BC9443DEFBF6AFC9300F14C06AD50976254EB7509458F94
                                  Function 075BADCC Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a32ce95ddfe04d0f382c550f0a0498690309be1d84ede251d96627a30b44c3a2
                                  • Instruction ID: ecfbb38edfce128b79ae9db58af9002438531d954f3ea7f6fd14fc9a09f97a18
                                  • Opcode Fuzzy Hash: a32ce95ddfe04d0f382c550f0a0498690309be1d84ede251d96627a30b44c3a2
                                  • Instruction Fuzzy Hash: 0C11A275E002498FDB05CFE8C484AADFBB1FF89314F10816AEA15AB255D7326956DB40
                                  Function 075BCB40 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d7e0e52818a82ceb83a22fbc5e1d82d42be1d58e3af57c8c188b21285ece4d6
                                  • Instruction ID: 0be92dcb09f27fbaab8d29c3d69bb9b37be230fe107d469efde6796e7296f665
                                  • Opcode Fuzzy Hash: 2d7e0e52818a82ceb83a22fbc5e1d82d42be1d58e3af57c8c188b21285ece4d6
                                  • Instruction Fuzzy Hash: 3201A2B1A0D208DFC725CF65E5016FDBBB8FB8A310F4095A6D4098B212D7745E49EBA4
                                  Function 0129D745 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622020752.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_129d000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d676c32195ebbc96341abc6d464a65dec572c375905cd6565ffdc3dd5522473a
                                  • Instruction ID: 95778dcfb9347982f18a05bf301bd82d993a5d916d006bfe1e4b21dbf70a2b74
                                  • Opcode Fuzzy Hash: d676c32195ebbc96341abc6d464a65dec572c375905cd6565ffdc3dd5522473a
                                  • Instruction Fuzzy Hash: 18012B710143889BFB145E9DCCC4BAFBF98DF41625F14C51AEE080B282C3799400DBB2
                                  Function 075BBFC4 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e14b80e12ba9ce70b8c1cc7b895e346ab239329cf368779d0f50707fc6098215
                                  • Instruction ID: c55a77f4119e0b63c2b007910606ff825d411d816bfe88a7916b2f7bc3f7c177
                                  • Opcode Fuzzy Hash: e14b80e12ba9ce70b8c1cc7b895e346ab239329cf368779d0f50707fc6098215
                                  • Instruction Fuzzy Hash: D311C5B4904218CFCB24CF94C6849FDB7B6FB4E311F605599D45AB7250C735AD89CE24
                                  Function 075B3670 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5406c88ee0c938cd8fd93be8d58d96f0942141f9c475fd090d5e9c017d87b889
                                  • Instruction ID: 3935aaf90d1beba513c462acb034b27432b82043514b283802508fcbcc74938a
                                  • Opcode Fuzzy Hash: 5406c88ee0c938cd8fd93be8d58d96f0942141f9c475fd090d5e9c017d87b889
                                  • Instruction Fuzzy Hash: 18F02832A042684BCF02BAA8D8240DEB7B5EF8A310F028567D945B7241EF305A49C7E1
                                  Function 075B2608 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 51275c03157bf7c0cb8630f54fd35dfaff4f0474e8d8e53d4213122a91682d2a
                                  • Instruction ID: 7587c7eaccca4ef09abc87116a23c2121502f614d16b9544cd3350ece2b20976
                                  • Opcode Fuzzy Hash: 51275c03157bf7c0cb8630f54fd35dfaff4f0474e8d8e53d4213122a91682d2a
                                  • Instruction Fuzzy Hash: 760129B0E1025ACFDB04EFA8C8117EEBBB1FF49304F108529C915B7290EB789A15CB91
                                  Function 075B3600 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32ddaf2148167a433ec7ee2b7c9caf220f3bb61b7e13dd369a207aef2cadf9f6
                                  • Instruction ID: ad9be938e9b90c56bf64763238321b1b14522deda4a96cac0eab9daf9c45d75f
                                  • Opcode Fuzzy Hash: 32ddaf2148167a433ec7ee2b7c9caf220f3bb61b7e13dd369a207aef2cadf9f6
                                  • Instruction Fuzzy Hash: B901DEB2D1410AABCF10DF99D9459FFBBB8FB58310F114126E919B7240D730AA14CBA1
                                  Function 075B4649 Relevance: .0, Instructions: 41COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fbfa33a130fda1f4f33a18d5b7e4a794e904d23cb12d4878a1b1329dbacb2dfc
                                  • Instruction ID: b1da7386b9aa0ffa706e6a95e98b1216133b15c2d54bd6141b526e91c36a957e
                                  • Opcode Fuzzy Hash: fbfa33a130fda1f4f33a18d5b7e4a794e904d23cb12d4878a1b1329dbacb2dfc
                                  • Instruction Fuzzy Hash: 85F0F03B304300AFD360AE65B405EEA7BA5FBD5730F15803BE548CB280CA31C846C7A0
                                  Function 075B3680 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 011a7248a4b9a793ff65394e8dfc651baea0f25fe3d38764ef8a16801fff3a92
                                  • Instruction ID: 25f3de012b0f868b5a79cda50575de3705dff1025a3d1615ace7a4971a6b58fd
                                  • Opcode Fuzzy Hash: 011a7248a4b9a793ff65394e8dfc651baea0f25fe3d38764ef8a16801fff3a92
                                  • Instruction Fuzzy Hash: B3018131A1062E8BCF15ABA8D8144EEB3B5FF89310F018529D91677240EF346A19CBE5
                                  Function 075B35F2 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 58312cb279198b4abb9477ec13713ac4641673742dac73e0a944cb5b938a2214
                                  • Instruction ID: 4f554a9c53b991c1843678857cb472e1bccfc9a3f77ffaef1525161489ded6cd
                                  • Opcode Fuzzy Hash: 58312cb279198b4abb9477ec13713ac4641673742dac73e0a944cb5b938a2214
                                  • Instruction Fuzzy Hash: 9F01A47690424A8FDF11CFA8E8519FABF74EB09320F25412BE954F7281DB346A05CBD1
                                  Function 075BCB50 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff1c7d02c123d9ebf8942976cfaa640955a3832a365cc853b0938a5c1a0a702f
                                  • Instruction ID: 8eb41d01ae77a897e9cb1f269ab3e5f02dd5f1690a32929b271dac0f0fa0c919
                                  • Opcode Fuzzy Hash: ff1c7d02c123d9ebf8942976cfaa640955a3832a365cc853b0938a5c1a0a702f
                                  • Instruction Fuzzy Hash: 05F06DB0D19208DBCB24CF65C541AFDBBB9FF9A300F8099A5D4095B211D7709E15EBA8
                                  Function 0129D744 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622020752.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_129d000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 07c11df60aef6289b4e1d5bffe0508c89a042262088ee84252dc7427d751a70d
                                  • Instruction ID: a5f85878eaa6227dd818b976bccba7e2c86bc23f89659aaad33c1d7cc83c9ef3
                                  • Opcode Fuzzy Hash: 07c11df60aef6289b4e1d5bffe0508c89a042262088ee84252dc7427d751a70d
                                  • Instruction Fuzzy Hash: 7CF096714043889EEB149E59CC84BA6FFD8EF51634F18C55AEE0C5B287C2799844DBB1
                                  Function 075B36F0 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4641f51ff7aedd777bc2b8682eeb19f5292f94828ec78cf4cffbc65f42064c8b
                                  • Instruction ID: fc6d3f5bbb1f55e0e0328dbaf47a801d961a8ef9dcc57fdf6fbe216220c0a7e2
                                  • Opcode Fuzzy Hash: 4641f51ff7aedd777bc2b8682eeb19f5292f94828ec78cf4cffbc65f42064c8b
                                  • Instruction Fuzzy Hash: A7F0E27AA043418FC724AB29A8A48EABB6AFFC6611714453FE509D7250EF70D805C261
                                  Function 075BE1B9 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c6452a8a42f18ec9dc73de90e5e7b7b448fec4af56197d2e1055b2dec560ef4c
                                  • Instruction ID: c8ec200fdd410e2bad577a403846bd489cd41c9abf808d430803109c596ae547
                                  • Opcode Fuzzy Hash: c6452a8a42f18ec9dc73de90e5e7b7b448fec4af56197d2e1055b2dec560ef4c
                                  • Instruction Fuzzy Hash: 33014FB0D00209CFDB40DFA8D5825EC7BB5FB85301F108625E416AB748D7385C0A8F51
                                  Function 075BF1C9 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 396f1d87eaad3e36f701d4deb427db903ed8d72f8af0052deb142889c24fb631
                                  • Instruction ID: 54873d5e17014954db55e42d5ac3b2a745a4e9c57982bb483a1af6a845f9a9f7
                                  • Opcode Fuzzy Hash: 396f1d87eaad3e36f701d4deb427db903ed8d72f8af0052deb142889c24fb631
                                  • Instruction Fuzzy Hash: 30F06DB9904308AFCB12DFA8E9052DCBFB0FB45220F1081AAE81897690E6354A54DF91
                                  Function 075BBF2C Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0e2b08a7e971d24cd6f546988c5a2a494a385e8780528233e7b2f4bc0a005796
                                  • Instruction ID: 58e4779b3c6a279b31322d71fd298cc52c1812bf7a2a1685a01cbb36e06efeca
                                  • Opcode Fuzzy Hash: 0e2b08a7e971d24cd6f546988c5a2a494a385e8780528233e7b2f4bc0a005796
                                  • Instruction Fuzzy Hash: 27F014B5918248CFCB20CB54D6C59FCBBBAFB0A200F115985D00AAB211C336A889CF28
                                  Function 075BA8DF Relevance: .0, Instructions: 31COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bfcdcb41253e3d818dfc403009f85a2f71062f2c43e00e391291de8b3975c3cb
                                  • Instruction ID: da838e06647300930f5ba03c12eb36b67abec9410ef6bcfe1863956258578648
                                  • Opcode Fuzzy Hash: bfcdcb41253e3d818dfc403009f85a2f71062f2c43e00e391291de8b3975c3cb
                                  • Instruction Fuzzy Hash: 1AF01DB095A256CFDB70CF64C9917F8BBB9BB46200F0095EAD019A7256EB344E848F51
                                  Function 075BC198 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 51a560e2fe7f08569db7f3a45f1d95b44f546273df3d03971175c1f9eb58a116
                                  • Instruction ID: 2a6d3277d1a79eb7466c162b09d653975e9608195dcb1d59a3b773664e4e8bd4
                                  • Opcode Fuzzy Hash: 51a560e2fe7f08569db7f3a45f1d95b44f546273df3d03971175c1f9eb58a116
                                  • Instruction Fuzzy Hash: 4EF0E778914244CFCB10CF98C585AECFBB8FF0A310F118596D85AAB351D731A995CF50
                                  Function 075BB8B0 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d8ec87f1ff467772fd50fb9dc10ea8f4cd685e4c461a1bbaa98a88fc4b3bce99
                                  • Instruction ID: 1ce69ae77f5a18f090dba8adff3a8f0b401387c364daf1cd9137ab85ca74b4b2
                                  • Opcode Fuzzy Hash: d8ec87f1ff467772fd50fb9dc10ea8f4cd685e4c461a1bbaa98a88fc4b3bce99
                                  • Instruction Fuzzy Hash: 06F015B69142069EE740EFA9D9446E9BBF0FF88320F20896AD008D7211DB7446068B50
                                  Function 075BC1F1 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 44063cc0c55a5d49e876d949955e2112b3384367d748d92fd577a26b66b3f8b9
                                  • Instruction ID: 89907b0b2da285827cdfd6fe3979df8d3cb6a3e51e1ce5c911577f0a306d2036
                                  • Opcode Fuzzy Hash: 44063cc0c55a5d49e876d949955e2112b3384367d748d92fd577a26b66b3f8b9
                                  • Instruction Fuzzy Hash: 69F092B0918258CFCB74CB54D2D49FCB7BAFB0A201F515985D10AA7251C736A989DE28
                                  Function 075BF1D8 Relevance: .0, Instructions: 23COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c8c5dcad45cf71e7964a93c82b1fbd08ec00d19cb813b2c981ee44e9e4da881f
                                  • Instruction ID: aaf71fb3088741381ec5abc5fcc7f0df8ad253b6f68ab7e221b0c405198cd248
                                  • Opcode Fuzzy Hash: c8c5dcad45cf71e7964a93c82b1fbd08ec00d19cb813b2c981ee44e9e4da881f
                                  • Instruction Fuzzy Hash: 6DF030B4D0020CEBCF55DFA8D5046DDBBB1FB48300F0080AAE81493350E6355A60DF41
                                  Function 075BA745 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 72710f962a0c1932e01fd4f3172c38451b89e9690e2b191546be8140b4cb83d0
                                  • Instruction ID: 0c3fd5b510445689ca0bf56cd12ea9ab62aeb43e1cd468429b78e38b45261e2c
                                  • Opcode Fuzzy Hash: 72710f962a0c1932e01fd4f3172c38451b89e9690e2b191546be8140b4cb83d0
                                  • Instruction Fuzzy Hash: C2E012B0956316CBDB70CF58CA915FC777ABB45200F50D9A9D00AA3151DB741E848B51
                                  Function 075BC113 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e627c55725417db80584cedfbe7e4b7bdcbd894f3f38891dfeddfc411d2a8828
                                  • Instruction ID: 9b5417766061ae44d40b90d862004fc3aaa8dbf0c709de37b97a6687f3107448
                                  • Opcode Fuzzy Hash: e627c55725417db80584cedfbe7e4b7bdcbd894f3f38891dfeddfc411d2a8828
                                  • Instruction Fuzzy Hash: 3BF0C2B0918258CFCB34CB54D2C49FCB7BAFB0E201F518986D10AB7251C736A889DF28
                                  Function 075BAA06 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed9fe95532e66b6bdebb11cf101cd6b5d070314015cefb00c9297da7dca7471b
                                  • Instruction ID: 83b918ba4875bd992734d7d7667e8f8ed2c30b2ff2bc2c511c3c8695fc1c130c
                                  • Opcode Fuzzy Hash: ed9fe95532e66b6bdebb11cf101cd6b5d070314015cefb00c9297da7dca7471b
                                  • Instruction Fuzzy Hash: DDE092B0A163158FC730DF28C9D59FC7B6ABB44100F40C5E8D01A93112EF780E888B40
                                  Function 075BB8C0 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 503b369010940eb0ff7f16aec4b33f947627a2cf7834ccbeb807f6774cb1c174
                                  • Instruction ID: a79d12910b178abd15735ad4f899e9cec0576a69f0ee0723fc5fbb00164f9bd3
                                  • Opcode Fuzzy Hash: 503b369010940eb0ff7f16aec4b33f947627a2cf7834ccbeb807f6774cb1c174
                                  • Instruction Fuzzy Hash: D7E0B6F0D44609DFD750EFBAC905BAEBBF0BF08210F1189A9D019E7212EBB496048F91
                                  Function 075BA2C1 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 275acbd35ba43d552ef69044031884ea4b37dc04a23d6162b3ad9e8cad56ba5f
                                  • Instruction ID: 44e46762b0e1d819577acd5bbf02e6d16687c3f710b6994b207a465c967ce766
                                  • Opcode Fuzzy Hash: 275acbd35ba43d552ef69044031884ea4b37dc04a23d6162b3ad9e8cad56ba5f
                                  • Instruction Fuzzy Hash: 7ED05EB50093448BD3235B64F7492E8BB75AB03211B514193E1095ACA2AA6E08BCD7B6
                                  Function 075BAD8A Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dba9eea235a1bb7a4b4328b0d444da028594e29763156fe2caff0fac114a58a3
                                  • Instruction ID: 565779f79361532192a6d4325b1b576c6feb3ea36292090ed295e10aa0985e8d
                                  • Opcode Fuzzy Hash: dba9eea235a1bb7a4b4328b0d444da028594e29763156fe2caff0fac114a58a3
                                  • Instruction Fuzzy Hash: 8CE0B678A04204CFC710CFA0C594AEDB775BF4A302F21D454E5066B3A5C735AC06CF04
                                  Function 075B8138 Relevance: .0, Instructions: 16COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f92b95b5d2a04ae0b247195e6cab53348e865c71e9a95f803d3ce6f803a44b11
                                  • Instruction ID: 29734480c2ff5f651ddf842c623842ac7686ff38eaec36e59b24e8c17e30a085
                                  • Opcode Fuzzy Hash: f92b95b5d2a04ae0b247195e6cab53348e865c71e9a95f803d3ce6f803a44b11
                                  • Instruction Fuzzy Hash: DED02BF5A1D38ADFC715433088152F02B587FDB240F0962BF8081CA152D9194C40E793
                                  Function 075BC0E8 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 440ac29e11de87edb910a48253d329f8baf107f95f8f95aad03a81a42eebd3e6
                                  • Instruction ID: 227cf6956dd219662dd7ed61d6120f493c9c6fc289ad6cd8a28913757b8d4d16
                                  • Opcode Fuzzy Hash: 440ac29e11de87edb910a48253d329f8baf107f95f8f95aad03a81a42eebd3e6
                                  • Instruction Fuzzy Hash: FBE08C7040C280CFC7608B20CAA9AE57B71BB0B206B4548E9C14A5A162CB768449DE14
                                  Function 075B6E59 Relevance: .0, Instructions: 14COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 61312ae71f77e44535b27baa7e23e4b9b09a0a97174623f4e8fbc3f3d5a2544e
                                  • Instruction ID: 763a1127c900f46c440ddcf500989a1c457096bfe59f429f3da1f60d383b43f8
                                  • Opcode Fuzzy Hash: 61312ae71f77e44535b27baa7e23e4b9b09a0a97174623f4e8fbc3f3d5a2544e
                                  • Instruction Fuzzy Hash: 2BC08CAF14E3C18EE34382702C034E72F1049E323432A40B7E080D54A38480968FC233
                                  Function 075BA2D0 Relevance: .0, Instructions: 10COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 765840bf05b8ec6cb3ed7bb5167aa3b87021ccd179a911e15fca1212df54e685
                                  • Instruction ID: de8616737125f117ae1d89fb25812d5adc221d364482d0e7a07d8499510c6f96
                                  • Opcode Fuzzy Hash: 765840bf05b8ec6cb3ed7bb5167aa3b87021ccd179a911e15fca1212df54e685
                                  • Instruction Fuzzy Hash: A9C08CB000030487C2222B94A70E3E8B368AB02202F410021A50E108916ABF0478EAA9
                                  Function 075BBE83 Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ac5d29550f8c1c596820f18ea8d096f595542fe98897b4dc3b306eee8f70b50
                                  • Instruction ID: b1658d51e8fbd298c5eb1c355077d3cb45c1ba94e1310a5eb8f5d707e4e61fca
                                  • Opcode Fuzzy Hash: 6ac5d29550f8c1c596820f18ea8d096f595542fe98897b4dc3b306eee8f70b50
                                  • Instruction Fuzzy Hash: 5CC08CA06080158AC340CB4289441F67669BA8A240701D420830B95021E230070C4250
                                  Function 075BE90D Relevance: .0, Instructions: 9COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b8ebbc47f3665a91910560df1b9a96588bef0b372187add9aad12a8f45eed432
                                  • Instruction ID: d4f93308b1a96f34949cc9091b94b3d0d7ef19e2b35468b1f0058016d8c816e4
                                  • Opcode Fuzzy Hash: b8ebbc47f3665a91910560df1b9a96588bef0b372187add9aad12a8f45eed432
                                  • Instruction Fuzzy Hash: 34C08CB0910205CFCB40EFB8E0825EC7FB5FFC6201F155A22D805E7244C634284A8B21
                                  Function 075B565C Relevance: .0, Instructions: 8COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cb963d957c284604aa5e7f4fbab1ecd19b966a1d7a6cd5e2d8dc2ad29a6b5c94
                                  • Instruction ID: 60d9f1c3a96d69fac6f2ce202f5be533cabcb4477a858694840ed8b47248b316
                                  • Opcode Fuzzy Hash: cb963d957c284604aa5e7f4fbab1ecd19b966a1d7a6cd5e2d8dc2ad29a6b5c94
                                  • Instruction Fuzzy Hash: 1EB012E61A5709E2944466A0CC84BFB9810FBF7F41F808C1772068101089714828E36B
                                  Function 075BC5D5 Relevance: .0, Instructions: 6COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f28bb0257b6f76e6c98cf7583e2835b00019124ffc29150bb6dd578b55af5528
                                  • Instruction ID: 8f6d097b44f3ead316a51b4a906e212efac9cde6a6967d861f1a7afb55e02567
                                  • Opcode Fuzzy Hash: f28bb0257b6f76e6c98cf7583e2835b00019124ffc29150bb6dd578b55af5528
                                  • Instruction Fuzzy Hash: 18C04C7040D440DFCB502B14C55D1A57A74FB1634170104E1D85E6902687764909AF51

                                  Non-executed Functions

                                  Function 075BEDA0 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cb0ccfc4c813b215e5c753ab53c02cc38482f9365ac4ecfcf041e328b30b8097
                                  • Instruction ID: 0f42bb66e8e513fa4d5bc0d70543b280c7bd1cdb011ce6b4cddb5b4cd0e9c90e
                                  • Opcode Fuzzy Hash: cb0ccfc4c813b215e5c753ab53c02cc38482f9365ac4ecfcf041e328b30b8097
                                  • Instruction Fuzzy Hash: 9BE1D8B4E002198FDB24DFA9C580AEEFBB2FF89305F248169D415A7355D735A942CFA0
                                  Function 075BE968 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1630236314.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 075B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_75b0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 53c54af7078adb15214feed0a1bb66c1259f12a3e5a1490c613bb610600557b7
                                  • Instruction ID: a53c7acbf0c9d828a9caf6d4f602daa392f16d59260acd00bd9b6cab01215c93
                                  • Opcode Fuzzy Hash: 53c54af7078adb15214feed0a1bb66c1259f12a3e5a1490c613bb610600557b7
                                  • Instruction Fuzzy Hash: FDE1C5B4E002198FDB24DFA9C581AEEFBB2FF89305F248169D415AB355D734A941CFA0
                                  Function 012FF044 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1622694853.00000000012F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_12f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9126192dce394887ebed6234cbe36737cfd881aaf59ddeb615ee5382ea22616c
                                  • Instruction ID: 9a4131f87c8b9f2e80c22ae0bdc935df9e3db3c05970b8890493463fe7f7af10
                                  • Opcode Fuzzy Hash: 9126192dce394887ebed6234cbe36737cfd881aaf59ddeb615ee5382ea22616c
                                  • Instruction Fuzzy Hash: C7A14C36A1021A8FCF19DFA4C9405AEFBB2FF84300F15857EEA05AB265DB71D905CB80
                                  Function 07568A29 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.1629842512.0000000007560000.00000040.00000800.00020000.00000000.sdmp, Offset: 07560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_7560000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a61d6d98622f85fe1825c80dab3519e6c0eb460f89ca2f5e2510218d522edb0b
                                  • Instruction ID: c24f0780f1c0b5add586c169077360c56739e616525ab370f71af47ca457fdd7
                                  • Opcode Fuzzy Hash: a61d6d98622f85fe1825c80dab3519e6c0eb460f89ca2f5e2510218d522edb0b
                                  • Instruction Fuzzy Hash: 71312675B00205CFC714DF69C4869AAFBF5FF89200B24816AD409EB361EB31F905CB92

                                  Execution Graph

                                  Execution Coverage:11.7%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:3.6%
                                  Total number of Nodes:84
                                  Total number of Limit Nodes:11
                                  execution_graph 38617 15370a0 38618 15370e4 CheckRemoteDebuggerPresent 38617->38618 38619 1537126 38618->38619 38601 69d3458 DuplicateHandle 38602 69d34ee 38601->38602 38620 1530848 38621 153084e 38620->38621 38622 153091b 38621->38622 38626 153137f 38621->38626 38630 69d20f8 38621->38630 38634 69d2108 38621->38634 38627 153136f 38626->38627 38628 153137c 38627->38628 38638 1538258 38627->38638 38628->38621 38631 69d210a 38630->38631 38651 69d1834 38631->38651 38635 69d2117 38634->38635 38636 69d1834 GetModuleHandleW 38635->38636 38637 69d2138 38636->38637 38637->38621 38639 1538262 38638->38639 38640 153827c 38639->38640 38643 69ffa10 38639->38643 38647 69ffa00 38639->38647 38640->38627 38645 69ffa25 38643->38645 38644 69ffc3a 38644->38640 38645->38644 38646 69ffc50 GlobalMemoryStatusEx GlobalMemoryStatusEx 38645->38646 38646->38645 38649 69ffa12 38647->38649 38648 69ffc3a 38648->38640 38649->38648 38650 69ffc50 GlobalMemoryStatusEx GlobalMemoryStatusEx 38649->38650 38650->38649 38652 69d183f 38651->38652 38655 69d2f94 38652->38655 38654 69d3abe 38654->38654 38656 69d2f9f 38655->38656 38657 69d41e4 38656->38657 38659 69d5a68 38656->38659 38657->38654 38660 69d5a89 38659->38660 38661 69d5aad 38660->38661 38663 69d5c18 38660->38663 38661->38657 38664 69d5c25 38663->38664 38665 69d5c5e 38664->38665 38667 69d3fa4 38664->38667 38665->38661 38668 69d3faf 38667->38668 38670 69d60d0 38668->38670 38671 69d3fb4 38668->38671 38670->38670 38672 69d3fbf 38671->38672 38678 69d5c94 38672->38678 38674 69d613f 38682 69db460 38674->38682 38688 69db448 38674->38688 38675 69d6179 38675->38670 38679 69d5c9f 38678->38679 38680 69d73c8 38679->38680 38681 69d5a68 GetModuleHandleW 38679->38681 38680->38674 38681->38680 38684 69db491 38682->38684 38685 69db4dd 38682->38685 38683 69db49d 38683->38675 38684->38683 38694 69db6d8 38684->38694 38697 69db6c8 38684->38697 38685->38675 38690 69db491 38688->38690 38691 69db4dd 38688->38691 38689 69db49d 38689->38675 38690->38689 38692 69db6d8 GetModuleHandleW 38690->38692 38693 69db6c8 GetModuleHandleW 38690->38693 38691->38675 38692->38691 38693->38691 38701 69db718 38694->38701 38695 69db6e2 38695->38685 38698 69db6d8 38697->38698 38700 69db718 GetModuleHandleW 38698->38700 38699 69db6e2 38699->38685 38700->38699 38703 69db71d 38701->38703 38702 69db75c 38702->38695 38703->38702 38704 69db960 GetModuleHandleW 38703->38704 38705 69db98d 38704->38705 38705->38695 38603 69d3210 38604 69d3256 GetCurrentProcess 38603->38604 38606 69d32a8 GetCurrentThread 38604->38606 38607 69d32a1 38604->38607 38608 69d32de 38606->38608 38609 69d32e5 GetCurrentProcess 38606->38609 38607->38606 38608->38609 38612 69d331b 38609->38612 38610 69d3343 GetCurrentThreadId 38611 69d3374 38610->38611 38612->38610 38613 69dd910 38614 69dd978 CreateWindowExW 38613->38614 38616 69dda34 38614->38616

                                  Executed Functions

                                  Function 015370A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 741 15370a0-1537124 CheckRemoteDebuggerPresent 743 1537126-153712c 741->743 744 153712d-1537168 741->744 743->744
                                  APIs
                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01537117
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2856634303.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1530000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: 2110a4b9a37b44286634bd6a8a1f293feed2e2d03c73a9822e90972298ccf980
                                  • Instruction ID: f013f0ce1c9a25566b9f1465001eb5c5db7760b428cec24e37311d84735bb824
                                  • Opcode Fuzzy Hash: 2110a4b9a37b44286634bd6a8a1f293feed2e2d03c73a9822e90972298ccf980
                                  • Instruction Fuzzy Hash: A12128B18002598FDB14CF9AD884BEEBBF5BF49210F14841AE455A7250D778A944CF61
                                  Function 069F2340 Relevance: 1.0, Instructions: 1008COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df98ca436562263b4489394e191b4c311ad5483806bccd18d9feb1997c34cad1
                                  • Instruction ID: ac934b48426205af574a98eed505fa2a00432283c7a1ce15779a342cf7e95ac7
                                  • Opcode Fuzzy Hash: df98ca436562263b4489394e191b4c311ad5483806bccd18d9feb1997c34cad1
                                  • Instruction Fuzzy Hash: 3E927930A10204CFDB64DBA8C584B9DBBF6FB45310F66886AD509EB791DB35ED85CB80
                                  Function 069F65C0 Relevance: .8, Instructions: 821COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 99c8e244ab85a84a6b39d1876ddc4f8fed524de25782ebcbb4450a2046ddf4ac
                                  • Instruction ID: 755a64b3dec551f685331e4fb2db50d615ce696db9fa712b43c16c1ca2883b91
                                  • Opcode Fuzzy Hash: 99c8e244ab85a84a6b39d1876ddc4f8fed524de25782ebcbb4450a2046ddf4ac
                                  • Instruction Fuzzy Hash: 5262AC30B103059FDB54DB68D984AADBBF6EF84310F258469E906EB794DB35EC45CB80
                                  Function 069FC148 Relevance: .6, Instructions: 644COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 91a9ddef71d7ecde7404ea2951205c849d927a243f7b8216b3aadbc3a269a9e5
                                  • Instruction ID: 8c7c5df4364500870eb0f140f3d6563f5b42e252dd1bdd7e63cf563347db08fd
                                  • Opcode Fuzzy Hash: 91a9ddef71d7ecde7404ea2951205c849d927a243f7b8216b3aadbc3a269a9e5
                                  • Instruction Fuzzy Hash: 6832A134B20209DFDB54DB68D890BAEB7BAFB88310F258525E905EB794DB35DC41CB90
                                  Function 069F5568 Relevance: .6, Instructions: 600COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3fe5c884a9346cc60892be4b6013338c59a9aa173cf45390dba7dab9aa02cbb7
                                  • Instruction ID: cf0d2bd70efaca975750c81ea41b7d2d699a4bea9d3063d2e4e20f7683ed6e6a
                                  • Opcode Fuzzy Hash: 3fe5c884a9346cc60892be4b6013338c59a9aa173cf45390dba7dab9aa02cbb7
                                  • Instruction Fuzzy Hash: EB22F231E202058FDF60DBA4C4806AEBBB6FF95320F26856AD915EB754DB35DC42CB90
                                  Function 069FB1F8 Relevance: .6, Instructions: 576COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a9750e10088f364c6d0e3a6ea54f889a2fdbd0337e93a1224c1296c7f26d330f
                                  • Instruction ID: ae3371bcccfaa52918fce56455359b5e0d36d206318a9f2840c54fa4dbe744d0
                                  • Opcode Fuzzy Hash: a9750e10088f364c6d0e3a6ea54f889a2fdbd0337e93a1224c1296c7f26d330f
                                  • Instruction Fuzzy Hash: 49228330E212098BDF64DF58D4907AEB7BAFB89310F758426E505DBB99CB34DC818B51
                                  Function 069F3028 Relevance: .5, Instructions: 545COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c0cb9355b3fbaeacb27c74ccbcba4d4141cd8ef9286d34152bcfbaf0a15c913
                                  • Instruction ID: 5e8ee13604973ec5b8de6c671cf8b93c7bb36014b0a7386e740418cce4453a93
                                  • Opcode Fuzzy Hash: 6c0cb9355b3fbaeacb27c74ccbcba4d4141cd8ef9286d34152bcfbaf0a15c913
                                  • Instruction Fuzzy Hash: AF323B30E1075ACFDB14EF74C85069DB7B6FFC9300F6186AAD509AB254EB34A981CB80
                                  Function 069F7D50 Relevance: .5, Instructions: 475COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4080d792777acf6f5ba43de41d17f5e3f9e6d04bf72874be9c9db7213c16326c
                                  • Instruction ID: dc8fbb73cd900e1e58d022de5527fb7e684baa9aa72f27bdf1b6f03bd70ed732
                                  • Opcode Fuzzy Hash: 4080d792777acf6f5ba43de41d17f5e3f9e6d04bf72874be9c9db7213c16326c
                                  • Instruction Fuzzy Hash: 2402DE30B202198FDB94DF64D950AAEB7BAFF84310F658529D905EB794DB71EC42CB80
                                  Function 069D3202 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 069D328E
                                  • GetCurrentThread.KERNEL32 ref: 069D32CB
                                  • GetCurrentProcess.KERNEL32 ref: 069D3308
                                  • GetCurrentThreadId.KERNEL32 ref: 069D3361
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861662362.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69d0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 5d0137c320d18d129dafc394be5ead656b44d18c6e78d825967215c9a8faaac0
                                  • Instruction ID: 76b18ef7d4e225a4afafbb38ea84f1215b47a61fdee52c2db6c455879653c013
                                  • Opcode Fuzzy Hash: 5d0137c320d18d129dafc394be5ead656b44d18c6e78d825967215c9a8faaac0
                                  • Instruction Fuzzy Hash: EE5167B0D003098FDB55DFAAC948B9EBBF1BF88315F20C459D409A7660DB749944CF66
                                  Function 069D3210 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentProcess.KERNEL32 ref: 069D328E
                                  • GetCurrentThread.KERNEL32 ref: 069D32CB
                                  • GetCurrentProcess.KERNEL32 ref: 069D3308
                                  • GetCurrentThreadId.KERNEL32 ref: 069D3361
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861662362.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69d0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: Current$ProcessThread
                                  • String ID:
                                  • API String ID: 2063062207-0
                                  • Opcode ID: 0547d436e4e55f767d49cd742331fcc6f72ca93b27afeecc84fb110193411a6a
                                  • Instruction ID: 1b188ac4d40a8f8a11520c9ed418a19e29cc1490d4c750c72875dcd8cf78fc13
                                  • Opcode Fuzzy Hash: 0547d436e4e55f767d49cd742331fcc6f72ca93b27afeecc84fb110193411a6a
                                  • Instruction Fuzzy Hash: 435155B0D003098FDB54DFAAC948B9EBBF1BF88315F20C469D409A7660DB746944CF66
                                  Function 069FA378 Relevance: 2.7, Strings: 2, Instructions: 239COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 567 69fa378-69fa381 568 69fa31a-69fa335 567->568 569 69fa383-69fa3a8 567->569 583 69fa33a-69fa33d 568->583 570 69fa3aa-69fa3ad 569->570 571 69fa3af-69fa3cb 570->571 572 69fa3d0-69fa3d3 570->572 571->572 574 69fa3d5-69fa3ee 572->574 575 69fa3f3-69fa3f6 572->575 574->575 578 69fa3f8-69fa402 575->578 579 69fa403-69fa406 575->579 580 69fa41d-69fa420 579->580 581 69fa408-69fa416 579->581 584 69fa4cc-69fa4cf 580->584 585 69fa426-69fa4bf call 69f2058 580->585 581->585 598 69fa418 581->598 587 69fa35f-69fa361 583->587 588 69fa33f 583->588 592 69fa4d5-69fa502 call 69f2058 584->592 593 69fa600-69fa602 584->593 585->592 624 69fa4c1-69fa4cb 585->624 590 69fa368-69fa36b 587->590 591 69fa363 587->591 595 69fa34b-69fa35a 588->595 599 69fa36d-69fa371 590->599 600 69fa2f0-69fa2f3 590->600 591->590 617 69fa508-69fa52d 592->617 618 69fa5f5-69fa5ff 592->618 596 69fa609-69fa60c 593->596 597 69fa604 593->597 595->587 596->570 604 69fa612-69fa61b 596->604 597->596 598->580 602 69fa315-69fa318 600->602 603 69fa2f5-69fa310 600->603 602->568 602->583 603->602 625 69fa52f-69fa535 617->625 626 69fa537 617->626 627 69fa53d-69fa5ef call 69f6570 call 69f2058 625->627 626->627 627->617 627->618
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: X!@$x!@
                                  • API String ID: 0-2527372166
                                  • Opcode ID: 89cd88936a48233419dde131b205502deaea1cdbaeb5443d6ff2341c1e8cf8f3
                                  • Instruction ID: fb55331b0732817da2cc7c849f11f8fd05189496fa14c6e42fa1f18ab4a3f2fb
                                  • Opcode Fuzzy Hash: 89cd88936a48233419dde131b205502deaea1cdbaeb5443d6ff2341c1e8cf8f3
                                  • Instruction Fuzzy Hash: E681A331B20215DFCB54DF68D8406AEB7F6FB88310F218829E909E7754DB759C458B90
                                  Function 069DB718 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 645 69db718-69db737 647 69db739-69db746 call 69da8f0 645->647 648 69db763-69db767 645->648 653 69db75c 647->653 654 69db748 647->654 649 69db769-69db773 648->649 650 69db77b-69db7bc 648->650 649->650 657 69db7be-69db7c6 650->657 658 69db7c9-69db7d7 650->658 653->648 704 69db74e call 69db9c0 654->704 705 69db74e call 69db9b3 654->705 657->658 660 69db7d9-69db7de 658->660 661 69db7fb-69db7fd 658->661 659 69db754-69db756 659->653 662 69db898-69db958 659->662 664 69db7e9 660->664 665 69db7e0-69db7e7 call 69da8fc 660->665 663 69db800-69db807 661->663 697 69db95a-69db95d 662->697 698 69db960-69db98b GetModuleHandleW 662->698 668 69db809-69db811 663->668 669 69db814-69db81b 663->669 667 69db7eb-69db7f9 664->667 665->667 667->663 668->669 671 69db81d-69db825 669->671 672 69db828-69db831 call 69d3d00 669->672 671->672 677 69db83e-69db843 672->677 678 69db833-69db83b 672->678 679 69db845-69db84c 677->679 680 69db861-69db865 677->680 678->677 679->680 682 69db84e-69db85e call 69d8ed8 call 69da90c 679->682 702 69db868 call 69dbc80 680->702 703 69db868 call 69dbc70 680->703 682->680 685 69db86b-69db86e 687 69db891-69db897 685->687 688 69db870-69db88e 685->688 688->687 697->698 699 69db98d-69db993 698->699 700 69db994-69db9a8 698->700 699->700 702->685 703->685 704->659 705->659
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 069DB97E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861662362.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69d0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: f5f7a266d765f89ee169329ae551e1eee88a049ffcced878a218dfae992187b7
                                  • Instruction ID: 0c19aa028271f655f4088dcc99dd85b0b95722803a491bd0fe6e813f66e144a0
                                  • Opcode Fuzzy Hash: f5f7a266d765f89ee169329ae551e1eee88a049ffcced878a218dfae992187b7
                                  • Instruction Fuzzy Hash: 668187B0A00B059FDBA4DF2AD44475ABBF5FF88300F10892ED48AD7A54DB74E845CB91
                                  Function 069DD904 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 706 69dd904-69dd976 708 69dd978-69dd97e 706->708 709 69dd981-69dd988 706->709 708->709 710 69dd98a-69dd990 709->710 711 69dd993-69dd9cb 709->711 710->711 712 69dd9d3-69dda32 CreateWindowExW 711->712 713 69dda3b-69dda73 712->713 714 69dda34-69dda3a 712->714 718 69dda75-69dda78 713->718 719 69dda80 713->719 714->713 718->719 720 69dda81 719->720 720->720
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069DDA22
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861662362.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69d0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: ad27bb1bb294fec106a3559044700fbf665bfe424f002d8ca939dc0e76a48bf8
                                  • Instruction ID: 6f28ed854659a05ea5928e26838a80bc5654aa07e2a82c1754f24bf7c0df5c7a
                                  • Opcode Fuzzy Hash: ad27bb1bb294fec106a3559044700fbf665bfe424f002d8ca939dc0e76a48bf8
                                  • Instruction Fuzzy Hash: 7C51B0B5D00349EFDB14CF9AC884ADEBFB6BF48310F24852AE819AB210D7759945CF91
                                  Function 069DD910 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 721 69dd910-69dd976 722 69dd978-69dd97e 721->722 723 69dd981-69dd988 721->723 722->723 724 69dd98a-69dd990 723->724 725 69dd993-69dda32 CreateWindowExW 723->725 724->725 727 69dda3b-69dda73 725->727 728 69dda34-69dda3a 725->728 732 69dda75-69dda78 727->732 733 69dda80 727->733 728->727 732->733 734 69dda81 733->734 734->734
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069DDA22
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861662362.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69d0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 676cd3ea8464632437a2a93300e761d4d4df8c1949b7b2379ccb9535f575994f
                                  • Instruction ID: 29fe500dfec6fd76cf6ff1d9d33b606d870b45c50737f61d811fa0941fe91daf
                                  • Opcode Fuzzy Hash: 676cd3ea8464632437a2a93300e761d4d4df8c1949b7b2379ccb9535f575994f
                                  • Instruction Fuzzy Hash: 5641B0B1D00309DFDB14CF9AC884ADEBFB5BF48310F24812AE819AB210D7759945CF90
                                  Function 01537099 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 735 1537099-1537124 CheckRemoteDebuggerPresent 737 1537126-153712c 735->737 738 153712d-1537168 735->738 737->738
                                  APIs
                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01537117
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2856634303.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1530000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: CheckDebuggerPresentRemote
                                  • String ID:
                                  • API String ID: 3662101638-0
                                  • Opcode ID: 694a72aaa0be98c3a272c9044477bd19cf2511fbcc5b01ebaa0214e87729ebd5
                                  • Instruction ID: cf7707fde6e4a350a7a969e058bc3aeb97c7dbafc47dbffaa71bd1f4814dd13c
                                  • Opcode Fuzzy Hash: 694a72aaa0be98c3a272c9044477bd19cf2511fbcc5b01ebaa0214e87729ebd5
                                  • Instruction Fuzzy Hash: 662148B190025A8FDB14CFAAD884BEEBBF4BF89310F14852AE455A7740C7389945CF60
                                  Function 069D3450 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 747 69d3450-69d34ec DuplicateHandle 748 69d34ee-69d34f4 747->748 749 69d34f5-69d3512 747->749 748->749
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069D34DF
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861662362.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69d0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 5d7a1407fdeb223e44d5d17a1d9ba2f17cd15beadef26173d5d09646e0ff14af
                                  • Instruction ID: 8390727e08237f3731a12d74ba2b3cc1a89b9ff8670c4eabd11e666677239ae9
                                  • Opcode Fuzzy Hash: 5d7a1407fdeb223e44d5d17a1d9ba2f17cd15beadef26173d5d09646e0ff14af
                                  • Instruction Fuzzy Hash: D621E4B5D002199FDB10CFAAD884ADEBBF5FB48310F14841AE915A7750D379A950CFA1
                                  Function 069D3458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 752 69d3458-69d34ec DuplicateHandle 753 69d34ee-69d34f4 752->753 754 69d34f5-69d3512 752->754 753->754
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 069D34DF
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861662362.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69d0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 01fe4dfe11356526518ef1161cedc57ae93d52114a371579185b315620a17392
                                  • Instruction ID: d41ed3d660893addb844a19fec16d40bef36413789d65bd38f01da8a529fd7d8
                                  • Opcode Fuzzy Hash: 01fe4dfe11356526518ef1161cedc57ae93d52114a371579185b315620a17392
                                  • Instruction Fuzzy Hash: AA21C4B59003599FDB10CFAAD884ADEBBF9FB48310F14841AE914A3350D379A954CFA5
                                  Function 0153F16F Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 757 153f16f-153f1fc GlobalMemoryStatusEx 760 153f205-153f22d 757->760 761 153f1fe-153f204 757->761 761->760
                                  APIs
                                  • GlobalMemoryStatusEx.KERNELBASE ref: 0153F1EF
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2856634303.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1530000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: f84d2f049dda118adb750b4c1962eb1e52b7ecbb5a1a99a0d88815a3fbaed865
                                  • Instruction ID: b58c65c7f5ad65606a2908d6bd56063ee55406ab8891db6dd60255fee5117bd6
                                  • Opcode Fuzzy Hash: f84d2f049dda118adb750b4c1962eb1e52b7ecbb5a1a99a0d88815a3fbaed865
                                  • Instruction Fuzzy Hash: 112156B1C0025A9FDB10CFAAC8457DEFBF4BF48210F15812AE918B7640D338A904CFA1
                                  Function 0153F188 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 764 153f188-153f1fc GlobalMemoryStatusEx 766 153f205-153f22d 764->766 767 153f1fe-153f204 764->767 767->766
                                  APIs
                                  • GlobalMemoryStatusEx.KERNELBASE ref: 0153F1EF
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2856634303.0000000001530000.00000040.00000800.00020000.00000000.sdmp, Offset: 01530000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1530000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: 9a1ce83365ce00a282663ab917e2f0667f2b09ab3dffcdddd6143d831deab210
                                  • Instruction ID: 76676a53a49a5217acbbec0539673205e76fb65ca69e26877324eb953adf264d
                                  • Opcode Fuzzy Hash: 9a1ce83365ce00a282663ab917e2f0667f2b09ab3dffcdddd6143d831deab210
                                  • Instruction Fuzzy Hash: 321112B1C0065A9FDB14DF9AC844B9EFBF4BF48720F11812AE918B7240D378A944CFA1
                                  Function 069DB918 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 770 69db918-69db958 771 69db95a-69db95d 770->771 772 69db960-69db98b GetModuleHandleW 770->772 771->772 773 69db98d-69db993 772->773 774 69db994-69db9a8 772->774 773->774
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 069DB97E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861662362.00000000069D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69d0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 62ec6fd84d7403ae729d4b8de38d4ef0a0e9879e6a7ebf9b814dac84db3b26ea
                                  • Instruction ID: d7c50bb3baa34911ebf8c932900d6a12a3c6f6099e5b66d36d8c709dcffb2192
                                  • Opcode Fuzzy Hash: 62ec6fd84d7403ae729d4b8de38d4ef0a0e9879e6a7ebf9b814dac84db3b26ea
                                  • Instruction Fuzzy Hash: CA11D2B5C007498FDB14DF9AC844A9EFBF4AB88714F11842AD459A7610C379A545CFA1
                                  Function 069FFEA3 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 776 69ffea3-69ffede 789 69ffee1 call 153ec18 776->789 790 69ffee1 call 153ec08 776->790 777 69ffee7-69fff06 781 69fff0e-69fff38 777->781 784 69fff3a-69fff57 781->784 785 69fff59 781->785 786 69fff6b-69fff72 784->786 785->786 789->777 790->777
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: |
                                  • API String ID: 0-2343686810
                                  • Opcode ID: 51cfdd410704c09e65fba9fc99211d1644ffc97b4c72c24979562fa56c26d25f
                                  • Instruction ID: 00f71c7ca11ce34dc4271b1dda8467a8b7ec7ba7a2c3940cb2d37d8f129096ee
                                  • Opcode Fuzzy Hash: 51cfdd410704c09e65fba9fc99211d1644ffc97b4c72c24979562fa56c26d25f
                                  • Instruction Fuzzy Hash: FA21C370B052109FDB54DF788814BAD7BF1AF48610F0584AAE50AEB3A1DB389D00CB80
                                  Function 069FFEC0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 791 69ffec0-69ffede 792 69ffee7-69fff06 791->792 804 69ffee1 call 153ec18 791->804 805 69ffee1 call 153ec08 791->805 796 69fff0e-69fff38 792->796 799 69fff3a-69fff57 796->799 800 69fff59 796->800 801 69fff6b-69fff72 799->801 800->801 804->792 805->792
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: |
                                  • API String ID: 0-2343686810
                                  • Opcode ID: 5f72a45ad17e582934f47f13691fb3751fb9f7b4dc4d5899908267cea50fb176
                                  • Instruction ID: d1f5aaf6da46a3bcd9d9a8e0898fd260c148cc8c95b7405b48280681f38a5e52
                                  • Opcode Fuzzy Hash: 5f72a45ad17e582934f47f13691fb3751fb9f7b4dc4d5899908267cea50fb176
                                  • Instruction Fuzzy Hash: BC115E74B102159FDB94DF789804B6E7BF5AF88710F108469EA0AE73A0DB359D00DB80
                                  Function 069FCF18 Relevance: .8, Instructions: 802COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a589d68f30c9d58fc1e33e27b85bdef3ed2f261bc91a184cb98f95c36c9f2b32
                                  • Instruction ID: aa5bf6fefc47b75d7e2649257772ac35657e851c1dafea8c84891ad479afe299
                                  • Opcode Fuzzy Hash: a589d68f30c9d58fc1e33e27b85bdef3ed2f261bc91a184cb98f95c36c9f2b32
                                  • Instruction Fuzzy Hash: 61627030A1031ACFCB55EF68D590A9EB7B6FF84710B218629D8059F758DB71EC4ACB81
                                  Function 069FB610 Relevance: .5, Instructions: 467COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8bdaa6feb0ba469e7764d71895bbf114e93eaf53f83145831256f8751f672c44
                                  • Instruction ID: ebe26abe20c951ac63c6b0392dd54d0658b43c2832a3651b0973c6cf1c3506d6
                                  • Opcode Fuzzy Hash: 8bdaa6feb0ba469e7764d71895bbf114e93eaf53f83145831256f8751f672c44
                                  • Instruction Fuzzy Hash: BD026D30E202098FDB64DF68D4807AEB7BAFB85310F21892AD515DBA59DB34DC81CB91
                                  Function 069FACA0 Relevance: .4, Instructions: 391COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7bef2f2030f89f4f7f0f18fa9e8a39900fc81ac71f2ccddff361e960b51f33a
                                  • Instruction ID: 0b9218169497e62866294799d0fd3d126d7fe64a4974519b8a8120ab7ac52b3b
                                  • Opcode Fuzzy Hash: b7bef2f2030f89f4f7f0f18fa9e8a39900fc81ac71f2ccddff361e960b51f33a
                                  • Instruction Fuzzy Hash: FEE18C30F2031ADFDB64DF64D8906AEB7B6FF85210F21852AD909AB658DB359C45CB80
                                  Function 069F9120 Relevance: .2, Instructions: 230COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b1240a0955f4c6ab982453e3f8b7270ce34ee74cc92e3f889dc1bf34f0b0939
                                  • Instruction ID: 86972c5396e8300ac6b119ce766c8015e01db94c7ed0b6109e0d647d1d206920
                                  • Opcode Fuzzy Hash: 2b1240a0955f4c6ab982453e3f8b7270ce34ee74cc92e3f889dc1bf34f0b0939
                                  • Instruction Fuzzy Hash: E1917F30B1021A9FDB94DF65D8507AEB7FAFF85200F208569CD0AEB344EA35DD468B91
                                  Function 069F61C0 Relevance: .2, Instructions: 229COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7f0cbcb10c3662f905768ff4d493082c97dd9dc1820788a878c7d50d17121820
                                  • Instruction ID: 01228f3f440620bb71669100d282ee6f8a843b91ff82fd1d75677a5bc1efb2f9
                                  • Opcode Fuzzy Hash: 7f0cbcb10c3662f905768ff4d493082c97dd9dc1820788a878c7d50d17121820
                                  • Instruction Fuzzy Hash: 4461D671F102214BDF54AB7EC88095EBADBEFC4610B25443AD90ADB3A0DE66FC4287D5
                                  Function 069F3E61 Relevance: .2, Instructions: 223COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 878ee3d2621e17e8438fa6150a84f57d08fcb273d0b36a6546f1cbee854f7dd4
                                  • Instruction ID: a3289307788d7fdf2c0a43dec3c35c331d36836dd2e663ddea24c6298fdaf54b
                                  • Opcode Fuzzy Hash: 878ee3d2621e17e8438fa6150a84f57d08fcb273d0b36a6546f1cbee854f7dd4
                                  • Instruction Fuzzy Hash: D4816F30B1120A8FDF94DF64D45469EBBF6EF89300F218529D90AEB385DB35DC468B91
                                  Function 069F4184 Relevance: .2, Instructions: 218COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 29f63e05e74157138c2b38a1fea9a7b79e109974d6251184e72fd5b53fa876ee
                                  • Instruction ID: 59129e753b8271a2bb3b38020db4e8fdaab12e17566a69cddcc51ada9cd3f344
                                  • Opcode Fuzzy Hash: 29f63e05e74157138c2b38a1fea9a7b79e109974d6251184e72fd5b53fa876ee
                                  • Instruction Fuzzy Hash: E0914D30E102198BDF50CF68C880BDEB7B5FF89710F208699D509FB655DB71A986CB51
                                  Function 069F4198 Relevance: .2, Instructions: 210COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5154176e3032115765ec53943d1fe7e8cbf979fb88ba2252b8532544d80f6420
                                  • Instruction ID: 73300cae2559615e225eac43e6c9bfb4133a95a07b75183d1aff23cfede58363
                                  • Opcode Fuzzy Hash: 5154176e3032115765ec53943d1fe7e8cbf979fb88ba2252b8532544d80f6420
                                  • Instruction Fuzzy Hash: 05913E30E102198BDF60DF68C840BDEB7B5FF89710F208699D509BB255DB71A985CF91
                                  Function 069FEAE0 Relevance: .2, Instructions: 204COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05f87be09bb29181a2c71ff0f0974a72f167b27526e861619d07c73538e2c044
                                  • Instruction ID: 236338f6c50282fb1782a1c3b2c8fec9b29d366350971d4c509611b361ef3bca
                                  • Opcode Fuzzy Hash: 05f87be09bb29181a2c71ff0f0974a72f167b27526e861619d07c73538e2c044
                                  • Instruction Fuzzy Hash: 04713970A102099FDB44DFA9D980A9DBBFAFFC4300F258429E515EB664DB30EC46CB50
                                  Function 069FEAF0 Relevance: .2, Instructions: 201COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4a1cf7b09ba01c4268d09365794a6b3b40f9a55dec48f2901611f4e73dcb71f
                                  • Instruction ID: 937871ed10753559bd3f1b2e1dfc4143251abe0f6d912ec7847dfd7485dcad8b
                                  • Opcode Fuzzy Hash: e4a1cf7b09ba01c4268d09365794a6b3b40f9a55dec48f2901611f4e73dcb71f
                                  • Instruction Fuzzy Hash: C6710770A102099FDB54DFA9D980A9EBBFAFFC4310F258429E515AB664DB30EC46CB50
                                  Function 069F4B30 Relevance: .2, Instructions: 186COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25c47ebd3fbf2e175702c72a10def30b0a91571793ca90a8944ac38db9e2c3c7
                                  • Instruction ID: 33ca75d8cd36ad1f5da091cad14b1109b929723515763dce85a040193d87c156
                                  • Opcode Fuzzy Hash: 25c47ebd3fbf2e175702c72a10def30b0a91571793ca90a8944ac38db9e2c3c7
                                  • Instruction Fuzzy Hash: 6C61AB70E102099FEF549FA5C8547AEBAFAFB88700F20842AE506EB395DB755C058B91
                                  Function 069FFC50 Relevance: .2, Instructions: 177COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a8c4911dc1c474173cf02734fe089d73443d4cfdf3140947196a205cd435fe8
                                  • Instruction ID: 4a9c838119b06a1cd789090a331472e8543d5fa3b549dcc0f7987c54fe1a8b72
                                  • Opcode Fuzzy Hash: 2a8c4911dc1c474173cf02734fe089d73443d4cfdf3140947196a205cd435fe8
                                  • Instruction Fuzzy Hash: C951E071E1010ADFDF24EF78E4946ADB7B6FF84311F21886AE60AE7651CB318955CB80
                                  Function 069FFA00 Relevance: .2, Instructions: 173COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e70a275b2bb02e62d8233f2f5d198d003535578fc115a2f022b11819184f41c3
                                  • Instruction ID: 766f0160a71bd0f2877c4a759346e67fedfaad84a03c320091db207af8864893
                                  • Opcode Fuzzy Hash: e70a275b2bb02e62d8233f2f5d198d003535578fc115a2f022b11819184f41c3
                                  • Instruction Fuzzy Hash: DA51F430B202158FEF605B68D86076F769EDBCD711F31442AE50AC7B94CF69CC415392
                                  Function 069FFA10 Relevance: .2, Instructions: 163COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f8220adc46f0c450cd0f8f245dc322fbadc1006ea80058992b93cbfd8d4c88ec
                                  • Instruction ID: b0c3200e6e2ede57b61ad52fed290b7d88c1ee64d9cad29bda53981c08fb21bb
                                  • Opcode Fuzzy Hash: f8220adc46f0c450cd0f8f245dc322fbadc1006ea80058992b93cbfd8d4c88ec
                                  • Instruction Fuzzy Hash: AD51BF30B202198BEF646B6CC86472F769EDBCD721F70442AE90AC7B94CF69CC415392
                                  Function 069F9112 Relevance: .2, Instructions: 161COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28a6e8a14021cc52672adc0489ca369e91be8b67f4088099522513163a4402fd
                                  • Instruction ID: 83ee215d986d92184ba5cdb11932ccda54fe23438bd6fc26ae18008bbfef7a74
                                  • Opcode Fuzzy Hash: 28a6e8a14021cc52672adc0489ca369e91be8b67f4088099522513163a4402fd
                                  • Instruction Fuzzy Hash: 08514130B1120A9FDB94DF65D850BAF77FAEF88640F148569DD0AEB344EA35DC028B91
                                  Function 069F4B25 Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bf875ef1ddf6c7c24c9a06b52f81ef583104e1dbb81495624ebaa655021634f4
                                  • Instruction ID: 470b896498f4676344bdb1a10871e24ac2241d30395608ffd6027e752e93731d
                                  • Opcode Fuzzy Hash: bf875ef1ddf6c7c24c9a06b52f81ef583104e1dbb81495624ebaa655021634f4
                                  • Instruction Fuzzy Hash: BF51A070F102089FDF549FA5C854BAEBAF6FF88700F20852AE505AB394DB758C059B90
                                  Function 069F53E1 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 90e2241bc1829d8c829a44c0c13f8a39fa2170a2a75c6cdecb463a97ed55a4b0
                                  • Instruction ID: 8f5d35a4b0f0219afbfd1d46fc6f8778b9cb554e70fbb9df0c15165990336bf7
                                  • Opcode Fuzzy Hash: 90e2241bc1829d8c829a44c0c13f8a39fa2170a2a75c6cdecb463a97ed55a4b0
                                  • Instruction Fuzzy Hash: B3419271E106098FDF70CF99D880AAFF7F6FB95210F22492AE215D7A50D330E8558B91
                                  Function 069FDA8D Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ac0c09442df1d74d9d277a5dc9e2389f281578e28f685a697a020cb889ac49c3
                                  • Instruction ID: 13cecbe599f554e8092464fdd57840bdcf8d1b61fca6b5a9fede3290632cc3fc
                                  • Opcode Fuzzy Hash: ac0c09442df1d74d9d277a5dc9e2389f281578e28f685a697a020cb889ac49c3
                                  • Instruction Fuzzy Hash: 1F41E370E1030A8FDF25DF65C44429EBBB6FF85201F21492AD901EB640DB70D80ACB81
                                  Function 069F21B5 Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b265e4919985d1f64a33d6b953e0fee0ac9cc1166ef347a128282ef689e07730
                                  • Instruction ID: 51a039db464811218b33097d7e7d1a08e69e2e3303055fe14445a8765692d9ca
                                  • Opcode Fuzzy Hash: b265e4919985d1f64a33d6b953e0fee0ac9cc1166ef347a128282ef689e07730
                                  • Instruction Fuzzy Hash: 99312F30B102468FDB589FB4D4207AE3BAABF89610B204528C802DB354DF3ACD06C791
                                  Function 069F21C8 Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f146b815e65af8f8942cdb1340a32c1b33975a1493fe9d3d51029df6c3a65cc
                                  • Instruction ID: f84d233ab881d22bef19942d1fa6026e3dd7a338eb08a4515f65075e95761bed
                                  • Opcode Fuzzy Hash: 1f146b815e65af8f8942cdb1340a32c1b33975a1493fe9d3d51029df6c3a65cc
                                  • Instruction Fuzzy Hash: F531D070B102468FDB589FB5D4547AF7BAABF89610F248428D902EB358EF36CD06C791
                                  Function 069FD940 Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a21035937d7b74ff261c3292c1a3d853c42affc49c0e8fff4affd652f696d96
                                  • Instruction ID: aff85d9454be61fa4ad9f440f81b53c8eb58975ea9744aa04b8e522bf5dce500
                                  • Opcode Fuzzy Hash: 2a21035937d7b74ff261c3292c1a3d853c42affc49c0e8fff4affd652f696d96
                                  • Instruction Fuzzy Hash: 8331D430A203198FDF15DFA4C8906DEBBB6FF85200F218529E901EB644DB71A94ACB90
                                  Function 069F2078 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5bca55c42b20a009a76cf09614ce55c2fe0793daee49f5f410b74394a1d30e5f
                                  • Instruction ID: c9cb70b8c0fc10bca95767aaa86ceb9131a0c11e41f2a6acdf6f5f6f4540a1b9
                                  • Opcode Fuzzy Hash: 5bca55c42b20a009a76cf09614ce55c2fe0793daee49f5f410b74394a1d30e5f
                                  • Instruction Fuzzy Hash: F531B230E202069FCB54CFA4D89469EFBB6FF8A300F118929E905EB750DB71AD46CB40
                                  Function 069F2088 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4615144a35d43bf657f85756a3050f247aa7285ce2ed5975d86714a974cbb1c
                                  • Instruction ID: 90e73ea775636340524add3a48cc55dbe82535ff510b3d91ab01b1e59a93d10b
                                  • Opcode Fuzzy Hash: e4615144a35d43bf657f85756a3050f247aa7285ce2ed5975d86714a974cbb1c
                                  • Instruction Fuzzy Hash: 7331A230F202069FCB14CFA4D89469EB7B6FF89300F118919E906E7750DB71AD45CB40
                                  Function 069F3A69 Relevance: .1, Instructions: 80COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6d839294ca01629f10275e7bc0c7d88143ef5bcdae0498cb5f42003a44a999f5
                                  • Instruction ID: ac18820af35a721106230569cdfc8d519dc862201f103e7b98f7d869407cdb16
                                  • Opcode Fuzzy Hash: 6d839294ca01629f10275e7bc0c7d88143ef5bcdae0498cb5f42003a44a999f5
                                  • Instruction Fuzzy Hash: 59219F75F11215AFDB40CF79E850AAEBBF9EB88610F148526EA05E7380E739DC018B90
                                  Function 069F6CD8 Relevance: .1, Instructions: 79COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cb179ef01792dd71516313d1f7199185a2102ae2cb6f7c9f725b537cfd5888d7
                                  • Instruction ID: 48e87988fb40eea8e147a300b9a99c5c1594fec2f6ef1022c47efe58423b1616
                                  • Opcode Fuzzy Hash: cb179ef01792dd71516313d1f7199185a2102ae2cb6f7c9f725b537cfd5888d7
                                  • Instruction Fuzzy Hash: AF21F231B112199FCB50DB69EC54A9EBBBAEFC4310F25842AE905EB785DB31DC41CB80
                                  Function 069F3A78 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fcb272a41b76ceac5eb75244a924404cdfbba67b067fb5baf15492a4eb4d31e2
                                  • Instruction ID: 9faacb880ae1a6922100757b7534257716fee60967e19d9db6f8d824db7c4104
                                  • Opcode Fuzzy Hash: fcb272a41b76ceac5eb75244a924404cdfbba67b067fb5baf15492a4eb4d31e2
                                  • Instruction Fuzzy Hash: CC217C75F112199FDB50CF79D890AAEB7F9EB48210F20852AEA05E7380E739DC408B90
                                  Function 069FAEF0 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bb8b20e3b5ba75c093e1865860e1fe1f180596006e5c4265c21b4464b17f0c99
                                  • Instruction ID: 20d8dcd6e4fd327cdae6ecd1059e543ba4a192ec501b0b49351d4bef61a8d2ad
                                  • Opcode Fuzzy Hash: bb8b20e3b5ba75c093e1865860e1fe1f180596006e5c4265c21b4464b17f0c99
                                  • Instruction Fuzzy Hash: 8F219571E207198FDF64CFA9C84069EBBB9FF85300F21491AE909FB644D770A845CB80
                                  Function 0148D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2856315922.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_148d000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: af5755130b19559f66cc00649a63288a356695c9df471fc9e011d8f9b68f3b2e
                                  • Instruction ID: 9e477cdbbe6d404daf33311fc65ec12ca2e179aa778adf32fe33268e28f69348
                                  • Opcode Fuzzy Hash: af5755130b19559f66cc00649a63288a356695c9df471fc9e011d8f9b68f3b2e
                                  • Instruction Fuzzy Hash: 062125B5A05304DFDB15EF54D884B1ABB61FB85318F20C56ED84A4B3A6C336D447CA62
                                  Function 0148D006 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2856315922.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_148d000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ef342ee66234241cc3a2f1dbfa10dc62c9006d94aad41d141d3a5561c457441f
                                  • Instruction ID: fc14c8c8633052da3a7d9d55eaa17f27c2668e0e900541df86787ec77b0250a1
                                  • Opcode Fuzzy Hash: ef342ee66234241cc3a2f1dbfa10dc62c9006d94aad41d141d3a5561c457441f
                                  • Instruction Fuzzy Hash: 952180755093848FDB02DF64D590716BF71EB46214F28C5DBD8498B2A7C33A980BCB62
                                  Function 069F3B88 Relevance: .1, Instructions: 59COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4b12203ba672961fab98b8edb21b923b416c6f2d2e9f4181cc13c46ae968687c
                                  • Instruction ID: 8f58d1e3316dbbb04c46eabb41708230c684809d9f7a441d67e27d53dc425b6a
                                  • Opcode Fuzzy Hash: 4b12203ba672961fab98b8edb21b923b416c6f2d2e9f4181cc13c46ae968687c
                                  • Instruction Fuzzy Hash: 2511AD32B205298BDF949B78D8206AF77EAEFC8251B114539D906E7344EE29DC028BD0
                                  Function 069F3B79 Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3464bf71087e732ac91ff2033281312eddca126809c9506b1defb265b00a7cea
                                  • Instruction ID: 98543daf85593d8d45c77a2cafd64537a2bc2fdeb62661d0b852dba49bc779f5
                                  • Opcode Fuzzy Hash: 3464bf71087e732ac91ff2033281312eddca126809c9506b1defb265b00a7cea
                                  • Instruction Fuzzy Hash: B801B131B204295BDB9496789C116EF7AABDBC8211F150439D506D7744DE688C0247D1
                                  Function 069F3DBF Relevance: .1, Instructions: 55COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ece95ae60611e3d394387480cf519f2d7ab54252e732b4d91dde3b56a7868936
                                  • Instruction ID: 5014143d87d5f65452ed92382e3696feeec389eb38ab6743fe161f494a529d92
                                  • Opcode Fuzzy Hash: ece95ae60611e3d394387480cf519f2d7ab54252e732b4d91dde3b56a7868936
                                  • Instruction Fuzzy Hash: BC01F135B201100FDB60962C985472BBBDAEFC6610F24843EE50EC7785EE69DC0283D1
                                  Function 069FED61 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 842b2d1211fa6fb8bf7fbaef94ca84b02f97176f28c8bcb99d7373fda478fd85
                                  • Instruction ID: 0dfecb07a9624d343d4d30e035dfa8f2487ca80bbc10c1bb9814a195a0f102bb
                                  • Opcode Fuzzy Hash: 842b2d1211fa6fb8bf7fbaef94ca84b02f97176f28c8bcb99d7373fda478fd85
                                  • Instruction Fuzzy Hash: 340188317215105FDB659B6C9894B6F77EAEBC5610F25883BF50AC7B64DE21DC024341
                                  Function 069F3848 Relevance: .1, Instructions: 52COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4bfd2382d1cc2159c2dbd57126d1314a075ad292b11e5d01fd62d26ec4f0034
                                  • Instruction ID: 0063cdbcf75579088dd8c9b3322a97334e0fcde20eaa240b4fab6413cde4623c
                                  • Opcode Fuzzy Hash: e4bfd2382d1cc2159c2dbd57126d1314a075ad292b11e5d01fd62d26ec4f0034
                                  • Instruction Fuzzy Hash: 4711D3B1D012199FCB00DF9AD884ACEFBF4FB48310F10812AE918A7640C378A554CFA5
                                  Function 069F3841 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a33c12980bc59f7f25a88171e281e40005a3bca578d2123855b21441b385ae67
                                  • Instruction ID: 8b686556b3e599d633c87a725a9252506d15b5139778d9a7bbf3e9e00f14b10b
                                  • Opcode Fuzzy Hash: a33c12980bc59f7f25a88171e281e40005a3bca578d2123855b21441b385ae67
                                  • Instruction Fuzzy Hash: DF21CFB5D01219AFCB00DF9AD984BDEFBB4BF48314F10822AE918B7640D378A554CFA5
                                  Function 069F3DD0 Relevance: .1, Instructions: 51COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c385670c0fd40084a973f67a73b9d205628904de5001985a8f453b4e96677d16
                                  • Instruction ID: be9d1c401ee89838bf924f83a1a4a3ee752581902e234719a3a18b93c4673e96
                                  • Opcode Fuzzy Hash: c385670c0fd40084a973f67a73b9d205628904de5001985a8f453b4e96677d16
                                  • Instruction Fuzzy Hash: A401D131B201104FDB60966D945072BB6DEDBCAB20F20843AE60EC7784DD6AEC0243D5
                                  Function 069FA2D8 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a1e46436bdf5938cc3940eeedd16f5f5a242bf3d5c6c4e0c35fcb5fd7e3fdcea
                                  • Instruction ID: fc91d4a0a962e8d47be0131f71ddc6a59471b1f77e94c6e31a2fa262eb6bb35a
                                  • Opcode Fuzzy Hash: a1e46436bdf5938cc3940eeedd16f5f5a242bf3d5c6c4e0c35fcb5fd7e3fdcea
                                  • Instruction Fuzzy Hash: 4801B134B292109FD7619B2DD850A2EB7EEEB86710F208439E60EC7345DE66DC018381
                                  Function 069FED70 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4588727ea2c36b19ea4737b7d8bc19b5737486da801d0f4ef17498355f69115e
                                  • Instruction ID: 20f5c1210e8668feee6b01b7101bfdb975ba408cfc9f19e5415e02d6e32cac96
                                  • Opcode Fuzzy Hash: 4588727ea2c36b19ea4737b7d8bc19b5737486da801d0f4ef17498355f69115e
                                  • Instruction Fuzzy Hash: 9E01A431B215115FDB659A2D989472F77EEDBCA610F21883BF60AC7B94DE21EC024385
                                  Function 069FA2E8 Relevance: .0, Instructions: 46COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6c659e9d1393fd63dc0e0daffe5fe5cc81403a81acdf722a3beb6095a8be7fa3
                                  • Instruction ID: 5d52cd50a1c8863d8b6fa223b747f8f60b0337b73434f4263d03f34ab198b7b2
                                  • Opcode Fuzzy Hash: 6c659e9d1393fd63dc0e0daffe5fe5cc81403a81acdf722a3beb6095a8be7fa3
                                  • Instruction Fuzzy Hash: B5018634B201118FDB609B6DD850B2F77DEE786710F208439E60ED7744DE66DC014781
                                  Function 069FC7A8 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: afe317fc37eca82733eb13ee670d826aa2a324f7f6ede50ddf46812085f43ca6
                                  • Instruction ID: 572ea36b4ef08e00dc79b636774c4fac84841dcb2a6e359f8a3f042360fd5516
                                  • Opcode Fuzzy Hash: afe317fc37eca82733eb13ee670d826aa2a324f7f6ede50ddf46812085f43ca6
                                  • Instruction Fuzzy Hash: 41F0A736E3026CDBDB146A65DC0059BB37EEBC4354F114425EE11B7744DB716C0087C0
                                  Function 069F4619 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 73dbc1f0722682903e57bbfeaefbfebedad1b2acd6bfe536c46b372ce1edaf61
                                  • Instruction ID: a91fe8c203db634bed31bcf3b77ee20153ffb534305b1fb532d3d0f6291253fa
                                  • Opcode Fuzzy Hash: 73dbc1f0722682903e57bbfeaefbfebedad1b2acd6bfe536c46b372ce1edaf61
                                  • Instruction Fuzzy Hash: FDF0DA70A20219DFDB14DF90E8A9BAEBBB6FF84A04F210519E502A7294CB741C45DB80
                                  Function 069F6441 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.2861801875.00000000069F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_69f0000_7569qiv4L2.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 423da196a5df79bbde9e9afaae87c7626b175b45697d17e9990af3e7bd734a14
                                  • Instruction ID: 38648cf7f047f7fa6a5ce670f753a3e6a7d553376caafc6e413ea2733ef9a37b
                                  • Opcode Fuzzy Hash: 423da196a5df79bbde9e9afaae87c7626b175b45697d17e9990af3e7bd734a14
                                  • Instruction Fuzzy Hash: 53E04FB1E35208AADFA0DFB08A5539A76B9EB82218F3249A5D519CBA41E53BCE054740