Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C5Zr4LSzmp.exe

Overview

General Information

Sample name:C5Zr4LSzmp.exe
renamed because original name is a hash value
Original sample name:e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe
Analysis ID:1588242
MD5:1cd6afe88ba532ca70c927d90314eac8
SHA1:3e5c107a20bad54a81ec0cb7e18e4dddcfca003b
SHA256:e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953
Tags:exeRedLineStealeruser-adrian__luca
Infos:

Detection

RedLine
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected RedLine Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • C5Zr4LSzmp.exe (PID: 6616 cmdline: "C:\Users\user\Desktop\C5Zr4LSzmp.exe" MD5: 1CD6AFE88BA532CA70C927D90314EAC8)
    • C5Zr4LSzmp.exe (PID: 2504 cmdline: "C:\Users\user\Desktop\C5Zr4LSzmp.exe" MD5: 1CD6AFE88BA532CA70C927D90314EAC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2964259097.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
    00000000.00000002.1731189168.0000000004457000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
      00000000.00000002.1731189168.00000000042A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        Process Memory Space: C5Zr4LSzmp.exe PID: 6616JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Process Memory Space: C5Zr4LSzmp.exe PID: 6616JoeSecurity_RedLineYara detected RedLine StealerJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.C5Zr4LSzmp.exe.446e868.3.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              0.2.C5Zr4LSzmp.exe.446e868.3.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
              • 0x22ec3:$gen01: ChromeGetRoamingName
              • 0x22ee8:$gen02: ChromeGetLocalName
              • 0x22f2b:$gen03: get_UserDomainName
              • 0x26dc4:$gen04: get_encrypted_key
              • 0x25b43:$gen05: browserPaths
              • 0x25e19:$gen06: GetBrowsers
              • 0x25701:$gen07: get_InstalledInputLanguages
              • 0x21bcc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
              • 0x1218:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
              • 0x27206:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
              • 0x272a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
              • 0x278be:$spe9: *wallet*
              • 0x1fbea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
              • 0x20114:$typ03: A937C899247696B6565665BE3BD09607F49A2042
              • 0x201c1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
              • 0x1fb98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
              • 0x1fbc1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
              • 0x1fd92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
              • 0x1ffe5:$typ11: 2A19BFD7333718195216588A698752C517111B02
              • 0x202d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
              2.2.C5Zr4LSzmp.exe.400000.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                2.2.C5Zr4LSzmp.exe.400000.0.unpackinfostealer_win_redline_stringsFinds Redline samples based on characteristic stringsSekoia.io
                • 0x24cc3:$gen01: ChromeGetRoamingName
                • 0x24ce8:$gen02: ChromeGetLocalName
                • 0x24d2b:$gen03: get_UserDomainName
                • 0x28bc4:$gen04: get_encrypted_key
                • 0x27943:$gen05: browserPaths
                • 0x27c19:$gen06: GetBrowsers
                • 0x27501:$gen07: get_InstalledInputLanguages
                • 0x239cc:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION
                • 0x3018:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}
                • 0x29006:$spe7: OFileInfopeFileInfora GFileInfoX StabFileInfole
                • 0x290a4:$spe8: ApGenericpDaGenericta\RGenericoamiGenericng\
                • 0x296be:$spe9: *wallet*
                • 0x219ea:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0
                • 0x21f14:$typ03: A937C899247696B6565665BE3BD09607F49A2042
                • 0x21fc1:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2
                • 0x21998:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60
                • 0x219c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280
                • 0x21b92:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301
                • 0x21de5:$typ11: 2A19BFD7333718195216588A698752C517111B02
                • 0x220d4:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
                0.2.C5Zr4LSzmp.exe.4423648.0.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  Click to see the 7 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000000.00000002.1731189168.0000000004457000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: RedLine {"C2 url": ["87.120.120.86:1912"], "Bot Id": "LOGS", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                  Multi AV Scanner detection for submitted file
                  Source: C5Zr4LSzmp.exeVirustotal: Detection: 70%Perma Link
                  Source: C5Zr4LSzmp.exeReversingLabs: Detection: 73%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: C5Zr4LSzmp.exeJoe Sandbox ML: detected
                  Source: C5Zr4LSzmp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C5Zr4LSzmp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.000000000101C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbU source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32> source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.000000000101C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbA source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000001014000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: SWhi.pdb source: C5Zr4LSzmp.exe
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbF source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.000000000105B000.00000004.00000020.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2965267471.000000000104F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: SWhi.pdbSHA256 source: C5Zr4LSzmp.exe
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 4x nop then jmp 08417A66h0_2_08416EE0

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 87.120.120.86:1912
                  Source: global trafficTCP traffic: 192.168.2.4:49733 -> 87.120.120.86:1912
                  Source: Joe Sandbox ViewIP Address: 87.120.120.86 87.120.120.86
                  Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: unknownTCP traffic detected without corresponding DNS query: 87.120.120.86
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1729925069.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/8
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10LRsqP
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11LRsqH
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LRsq0
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12LRsqT
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13LRsqL
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14LRsqX
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15LRsqP
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16LRsqP7
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17LRsqH
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LRsq(b
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18LRsqT
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LRsqT7
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20LRsqx
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LRsq(L
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LRsqd(
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22LRsqpa
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23LRsqx2
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24LRsqT
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2LRsqh
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LRsq4
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3LRsqh
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4LRsqh
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LRsqH
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5LRsqdc
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6LRsqXn
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LRsq4
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8LRsqp
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LRsq
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9LRsqP
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/x
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1731189168.0000000004457000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000000.00000002.1731189168.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2964259097.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.C5Zr4LSzmp.exe.446e868.3.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 2.2.C5Zr4LSzmp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.C5Zr4LSzmp.exe.4423648.0.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.C5Zr4LSzmp.exe.446e868.3.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.C5Zr4LSzmp.exe.4423648.0.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: 0.2.C5Zr4LSzmp.exe.4394228.2.raw.unpack, type: UNPACKEDPEMatched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_056E3E340_2_056E3E34
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_056EE1240_2_056EE124
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_056E6F900_2_056E6F90
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_06786BB00_2_06786BB0
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_06786BA10_2_06786BA1
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_07A136680_2_07A13668
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_07A112400_2_07A11240
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_07A141170_2_07A14117
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_07A112300_2_07A11230
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_07A16D080_2_07A16D08
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_08418AA80_2_08418AA8
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_084134E80_2_084134E8
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_084130B00_2_084130B0
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_084139200_2_08413920
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_08414BC00_2_08414BC0
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_08414FF80_2_08414FF8
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 2_2_00F5DC742_2_00F5DC74
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1731189168.0000000004457000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000000.1702238416.0000000000D52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSWhi.exeJ vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1731189168.00000000044A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1731189168.00000000044A2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1729175244.000000000155E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1736744166.0000000008090000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1737545730.00000000098D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1731189168.00000000042A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000000.00000002.1731189168.00000000042A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2964259097.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exeBinary or memory string: OriginalFilenameSWhi.exeJ vs C5Zr4LSzmp.exe
                  Source: C5Zr4LSzmp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 0.2.C5Zr4LSzmp.exe.446e868.3.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 2.2.C5Zr4LSzmp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.C5Zr4LSzmp.exe.4423648.0.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.C5Zr4LSzmp.exe.446e868.3.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.C5Zr4LSzmp.exe.4423648.0.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: 0.2.C5Zr4LSzmp.exe.4394228.2.raw.unpack, type: UNPACKEDPEMatched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
                  Source: C5Zr4LSzmp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal96.troj.evad.winEXE@3/1@0/1
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C5Zr4LSzmp.exe.logJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                  Source: C5Zr4LSzmp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C5Zr4LSzmp.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C5Zr4LSzmp.exeVirustotal: Detection: 70%
                  Source: C5Zr4LSzmp.exeReversingLabs: Detection: 73%
                  Source: unknownProcess created: C:\Users\user\Desktop\C5Zr4LSzmp.exe "C:\Users\user\Desktop\C5Zr4LSzmp.exe"
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess created: C:\Users\user\Desktop\C5Zr4LSzmp.exe "C:\Users\user\Desktop\C5Zr4LSzmp.exe"
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess created: C:\Users\user\Desktop\C5Zr4LSzmp.exe "C:\Users\user\Desktop\C5Zr4LSzmp.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: textshaping.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: dwrite.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C5Zr4LSzmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C5Zr4LSzmp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: C5Zr4LSzmp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.000000000101C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\System.ServiceModel.pdbU source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32> source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.000000000101C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdbA source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000001014000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: SWhi.pdb source: C5Zr4LSzmp.exe
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbF source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.000000000105B000.00000004.00000020.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2965267471.000000000104F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: SWhi.pdbSHA256 source: C5Zr4LSzmp.exe
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdb source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000000FB6000.00000004.00000020.00020000.00000000.sdmp
                  Source: C5Zr4LSzmp.exeStatic PE information: 0xB0E81075 [Sat Jan 19 20:03:01 2064 UTC]
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeCode function: 0_2_080BA7F8 pushad ; iretd 0_2_080BA7F9
                  Source: C5Zr4LSzmp.exeStatic PE information: section name: .text entropy: 7.619026885043087
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: C5Zr4LSzmp.exe PID: 6616, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 9AA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: AAA0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: ACC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: BCC0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: F50000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 2AE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: 4AE0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239875Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239766Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239656Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239511Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239391Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239280Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239171Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239060Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238938Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238813Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238688Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238573Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238451Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238266Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238099Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 237703Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 237568Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeWindow / User API: threadDelayed 1086Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeWindow / User API: threadDelayed 1405Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -10145709240540247s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -239875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -239766s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -239656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -239511s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -239391s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -239280s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -239171s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -239060s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -238938s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -238813s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -238688s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -238573s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -238451s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -238266s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -238099s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -237703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6708Thread sleep time: -237568s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exe TID: 6688Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 240000Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239875Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239766Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239656Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239511Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239391Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239280Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239171Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 239060Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238938Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238813Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238688Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238573Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238451Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238266Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 238099Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 237703Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 237568Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C5Zr4LSzmp.exe, 00000002.00000002.2965267471.0000000001067000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeMemory written: C:\Users\user\Desktop\C5Zr4LSzmp.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeProcess created: C:\Users\user\Desktop\C5Zr4LSzmp.exe "C:\Users\user\Desktop\C5Zr4LSzmp.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Users\user\Desktop\C5Zr4LSzmp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Users\user\Desktop\C5Zr4LSzmp.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\C5Zr4LSzmp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.446e868.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.C5Zr4LSzmp.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.4423648.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.446e868.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.4423648.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.4394228.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2964259097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1731189168.0000000004457000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1731189168.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: C5Zr4LSzmp.exe PID: 6616, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: C5Zr4LSzmp.exe PID: 2504, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected RedLine Stealer
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.446e868.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 2.2.C5Zr4LSzmp.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.4423648.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.446e868.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.4423648.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.C5Zr4LSzmp.exe.4394228.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2964259097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1731189168.0000000004457000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1731189168.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: C5Zr4LSzmp.exe PID: 6616, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: C5Zr4LSzmp.exe PID: 2504, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                  DLL Side-Loading                  		111
                  Process Injection                  		1
                  Masquerading                  		OS Credential Dumping1
                  Security Software Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		LSASS Memory31
                  Virtualization/Sandbox Evasion                  		Remote Desktop ProtocolData from Removable Media1
                  Non-Standard Port                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                  Virtualization/Sandbox Evasion                  		Security Account Manager1
                  Application Window Discovery                  		SMB/Windows Admin SharesData from Network Shared Drive1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                  Process Injection                  		NTDS12
                  System Information Discovery                  		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
                  Obfuscated Files or Information                  		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                  Software Packing                  		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  Timestomp                  		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                  DLL Side-Loading                  		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  C5Zr4LSzmp.exe71%VirustotalBrowse
                  C5Zr4LSzmp.exe74%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                  C5Zr4LSzmp.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  87.120.120.86:19120%Avira URL Cloudsafe

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  87.120.120.86:1912true
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://tempuri.org/Entity/Id15LRsqPC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://tempuri.org/Entity/Id12ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://tempuri.org/Entity/Id4LRsqhC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://tempuri.org/Entity/Id20LRsqxC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://tempuri.org/Entity/Id2ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://tempuri.org/Entity/Id3LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://www.fontbureau.com/designersC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/Entity/Id21ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://tempuri.org/Entity/Id15LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://tempuri.org/Entity/Id19LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.sajatypeworks.comC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://tempuri.org/Entity/Id14LRsqXC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://tempuri.org/Entity/Id19ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://tempuri.org/Entity/Id20LRsqT7C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.galapagosdesign.com/DPleaseC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://tempuri.org/Entity/Id17LRsqHC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://tempuri.org/Entity/Id13LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://tempuri.org/Entity/Id15ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://tempuri.org/Entity/Id3LRsqhC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.urwpp.deDPleaseC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.zhongyicts.com.cnC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameC5Zr4LSzmp.exe, 00000000.00000002.1729925069.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://tempuri.org/Entity/Id1LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://tempuri.org/Entity/Id6ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://tempuri.org/Entity/Id12LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://api.ip.sb/ipC5Zr4LSzmp.exe, 00000000.00000002.1731189168.0000000004457000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000000.00000002.1731189168.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2964259097.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://tempuri.org/Entity/Id5LRsqHC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://tempuri.org/Entity/Id6LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tempuri.org/Entity/Id6LRsqXnC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://tempuri.org/Entity/Id9ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://tempuri.org/Entity/Id8LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://tempuri.org/Entity/Id8LRsqpC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://tempuri.org/Entity/Id24ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://tempuri.org/Entity/Id1ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://tempuri.org/Entity/8C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://tempuri.org/Entity/Id18LRsq(bC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.carterandcone.comlC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://tempuri.org/Entity/Id4LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.fontbureau.com/designers/frere-user.htmlC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://tempuri.org/Entity/C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://schemas.xmlsoap.org/ws/2004/08/addressingC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://tempuri.org/Entity/Id23LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://tempuri.org/Entity/Id2LRsqhC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://tempuri.org/Entity/Id3LRsq4C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://tempuri.org/Entity/Id10LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://tempuri.org/Entity/Id10LRsqPC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://tempuri.org/Entity/Id16ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://tempuri.org/Entity/Id21LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://tempuri.org/Entity/Id13LRsqLC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://tempuri.org/Entity/Id5ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://tempuri.org/Entity/Id17LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://tempuri.org/Entity/Id22LRsqd(C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://tempuri.org/Entity/Id10ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://www.fontbureau.com/designersGC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://tempuri.org/Entity/Id8ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://www.fontbureau.com/designers/?C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.founder.com.cn/cn/bTheC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://tempuri.org/Entity/Id2LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://www.fontbureau.com/designers?C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://tempuri.org/Entity/Id16LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/soap/envelope/C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://tempuri.org/Entity/Id8LRsq4C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://www.tiro.comC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://tempuri.org/Entity/Id9LRsqPC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://tempuri.org/Entity/Id24LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://www.goodfont.co.krC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              http://tempuri.org/Entity/Id23LRsqx2C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                http://tempuri.org/Entity/Id23ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://tempuri.org/Entity/Id22LRsq(LC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    http://www.typography.netDC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://www.galapagosdesign.com/staff/dennis.htmC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        http://tempuri.org/Entity/Id9LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/faultC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://tempuri.org/Entity/Id17ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high
                                                                                                                                                                                http://tempuri.org/Entity/Id22LRsqpaC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://tempuri.org/Entity/Id14LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    http://tempuri.org/Entity/Id20ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://tempuri.org/Entity/Id11LRsqHC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        http://www.fonts.comC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          http://www.sandoll.co.krC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://tempuri.org/Entity/Id13ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              http://tempuri.org/Entity/Id4ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                http://www.sakkal.comC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/right/possesspropertyC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://tempuri.org/Entity/Id20LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      http://www.apache.org/licenses/LICENSE-2.0C5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://www.fontbureau.comC5Zr4LSzmp.exe, 00000000.00000002.1735789235.0000000007A42000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgementC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            http://tempuri.org/Entity/Id18LRsqTC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              http://tempuri.org/Entity/Id7ResponseC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  http://tempuri.org/Entity/Id12LRsqTC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    http://tempuri.org/Entity/Id7LRsqC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002BEE000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C92000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002C43000.00000004.00000800.00020000.00000000.sdmp, C5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002CE0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      http://tempuri.org/xC5Zr4LSzmp.exe, 00000002.00000002.2966287904.0000000002AE1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high

                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                        87.120.120.86
                                                                                                                                                                                                                        		unknownBulgaria
                                                                                                                                                                                                                        		25206UNACS-AS-BG8000BurgasBGtrue

                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                                                                                        Analysis ID:1588242
                                                                                                                                                                                                                        Start date and time:2025-01-10 22:58:36 +01:00
                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                        Overall analysis duration:0h 5m 1s
                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                        Number of analysed new started processes analysed:7
                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                        Sample name:C5Zr4LSzmp.exe
                                                                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                                                                        Original Sample Name:e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953.exe
                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                        Classification:mal96.troj.evad.winEXE@3/1@0/1
                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                        • Successful, ratio: 99%
                                                                                                                                                                                                                        • Number of executed functions: 184
                                                                                                                                                                                                                        • Number of non-executed functions: 10
                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                        • Found application associated with file extension: .exe

                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 184.28.90.27, 172.202.163.200, 13.107.246.45, 52.149.20.212
                                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information

                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                        16:59:31API Interceptor19x Sleep call for process: C5Zr4LSzmp.exe modified

                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                        87.120.120.86VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                          Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                            2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                              2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                17.12.2024 ________.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                  #U0417#U0430#U043f#U0440#U043e#U0441 11.12.2024.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                    po4877383.exeGet hashmaliciousRedLineBrowse

                                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                      UNACS-AS-BG8000BurgasBG2XnMqJW0u1.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                      • 87.120.120.15
                                                                                                                                                                                                                                      VmoLw6EKj5.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                      • 87.120.120.86
                                                                                                                                                                                                                                      QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                                                                                      • 87.120.120.15
                                                                                                                                                                                                                                      QwMcsmYcxv.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                                                                                                                                                                                      • 87.120.120.15
                                                                                                                                                                                                                                      Xf3rn1smZw.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                      • 87.120.120.86
                                                                                                                                                                                                                                      wqSmINeWgm.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                      • 87.120.120.7
                                                                                                                                                                                                                                      2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                      • 87.120.120.86
                                                                                                                                                                                                                                      2eRd5imEKU.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                                      • 87.120.120.86
                                                                                                                                                                                                                                      17364916859ea2c227941e63335bcf02a749f58a3f6d7a5fc5312d32a2ea1c4a4cc26022a4160.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                      • 87.120.116.179
                                                                                                                                                                                                                                      Material Requirments.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                                                                                                                                                                                                      • 87.120.116.245

                                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                                      No context

                                                                                                                                                                                                                                      Created / dropped Files

                                                                                                                                                                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C5Zr4LSzmp.exe.log

                                                                                                                                                                                                                                      Download File
                                                                                                                                                                                                                                      Process:C:\Users\user\Desktop\C5Zr4LSzmp.exe
                                                                                                                                                                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                      Category:dropped
                                                                                                                                                                                                                                      Size (bytes):1415
                                                                                                                                                                                                                                      Entropy (8bit):5.352427679901606
                                                                                                                                                                                                                                      Encrypted:false
                                                                                                                                                                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                                                                                                                                                                                                      MD5:97AD91F1C1F572C945DA12233082171D
                                                                                                                                                                                                                                      SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                                                                                                                                                                                                      SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                                                                                                                                                                                                      SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                                                                                                                                                                                                      Malicious:true
                                                                                                                                                                                                                                      Reputation:moderate, very likely benign file
                                                                                                                                                                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                                                                                                                                                                                                      Static File Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                      Entropy (8bit):7.605295850065602
                                                                                                                                                                                                                                      TrID:
                                                                                                                                                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                                                                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                                                                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                                                                                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                                                                      File name:C5Zr4LSzmp.exe
                                                                                                                                                                                                                                      File size:872'448 bytes
                                                                                                                                                                                                                                      MD5:1cd6afe88ba532ca70c927d90314eac8
                                                                                                                                                                                                                                      SHA1:3e5c107a20bad54a81ec0cb7e18e4dddcfca003b
                                                                                                                                                                                                                                      SHA256:e14cf1238643d04a93157a0416329f7f8b08a9ceff996b870be593df328d6953
                                                                                                                                                                                                                                      SHA512:d338745cc39ad49e6d94251d2bbc2dc2c2af77ee37fe4fd952ea765a3159e45adb2da316fab36a2f39344d87ed37c0eac91a4f1026e5c31936f38e7a28f2d3bd
                                                                                                                                                                                                                                      SSDEEP:24576:yuxXOKVpvO/cmyGMELxcPZrUm/t3rwFO:rxXdfOEOM6SPtUCQ
                                                                                                                                                                                                                                      TLSH:0A05E020376ECB06C52947F40A70E2B813B97D9EE811E21B6DD9BEDF7872F154A10683
                                                                                                                                                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.................0..4..........6R... ...`....@.. ....................................@................................

                                                                                                                                                                                                                                      File Icon

                                                                                                                                                                                                                                      Icon Hash:32642092d4f29244

                                                                                                                                                                                                                                      Static PE Info

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Entrypoint:0x4d5236
                                                                                                                                                                                                                                      Entrypoint Section:.text
                                                                                                                                                                                                                                      Digitally signed:false
                                                                                                                                                                                                                                      Imagebase:0x400000
                                                                                                                                                                                                                                      Subsystem:windows gui
                                                                                                                                                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                      Time Stamp:0xB0E81075 [Sat Jan 19 20:03:01 2064 UTC]
                                                                                                                                                                                                                                      TLS Callbacks:
                                                                                                                                                                                                                                      CLR (.Net) Version:
                                                                                                                                                                                                                                      OS Version Major:4
                                                                                                                                                                                                                                      OS Version Minor:0
                                                                                                                                                                                                                                      File Version Major:4
                                                                                                                                                                                                                                      File Version Minor:0
                                                                                                                                                                                                                                      Subsystem Version Major:4
                                                                                                                                                                                                                                      Subsystem Version Minor:0
                                                                                                                                                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                                                                      Entrypoint Preview

                                                                                                                                                                                                                                      Instruction
                                                                                                                                                                                                                                      jmp dword ptr [00402000h]
                                                                                                                                                                                                                                      push ebx
                                                                                                                                                                                                                                      add byte ptr [ecx+00h], bh
                                                                                                                                                                                                                                      jnc 00007F1E20B150F2h
                                                                                                                                                                                                                                      je 00007F1E20B150F2h
                                                                                                                                                                                                                                      add byte ptr [ebp+00h], ch
                                                                                                                                                                                                                                      add byte ptr [ecx+00h], al
                                                                                                                                                                                                                                      arpl word ptr [eax], ax
                                                                                                                                                                                                                                      je 00007F1E20B150F2h
                                                                                                                                                                                                                                      imul eax, dword ptr [eax], 00610076h
                                                                                                                                                                                                                                      je 00007F1E20B150F2h
                                                                                                                                                                                                                                      outsd
                                                                                                                                                                                                                                      add byte ptr [edx+00h], dh
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al
                                                                                                                                                                                                                                      add byte ptr [eax], al

                                                                                                                                                                                                                                      Data Directories

                                                                                                                                                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xd51e40x4f.text
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xd60000x1714.rsrc
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xd80000xc.reloc
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xd2bec0x70.text
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                      Sections

                                                                                                                                                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                      .text0x20000xd325c0xd3400277898f4c3a94b84e4dac44cc949fdd9False0.834451275887574data7.619026885043087IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .rsrc0xd60000x17140x1800baf0099e104e36d99ed0c61fa11226d7False0.3846028645833333data5.0988844986283475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                                      .reloc0xd80000xc0x200470b862ce9d1fb587fe50bf636605e20False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                                      Resources

                                                                                                                                                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                      RT_ICON0xd61300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.3726547842401501
                                                                                                                                                                                                                                      RT_GROUP_ICON0xd71d80x14data1.1
                                                                                                                                                                                                                                      RT_VERSION0xd71ec0x33cdata0.42995169082125606
                                                                                                                                                                                                                                      RT_MANIFEST0xd75280x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                                                      Imports

                                                                                                                                                                                                                                      DLLImport
                                                                                                                                                                                                                                      mscoree.dll_CorExeMain

                                                                                                                                                                                                                                      Network Behavior

                                                                                                                                                                                                                                      Network Port Distribution

                                                                                                                                                                                                                                      TCP Packets

                                                                                                                                                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                      Jan 10, 2025 22:59:35.329130888 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 22:59:35.334078074 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 22:59:35.336159945 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 22:59:35.345096111 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 22:59:35.349890947 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 22:59:56.701649904 CET19124973387.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 22:59:56.701750040 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 22:59:56.726735115 CET497331912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:01.741389036 CET497421912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:01.746710062 CET19124974287.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:01.746814013 CET497421912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:01.747172117 CET497421912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:01.752352953 CET19124974287.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:23.137167931 CET19124974287.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:23.137264013 CET497421912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:23.137548923 CET497421912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:28.146015882 CET497551912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:28.151134014 CET19124975587.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:28.151254892 CET497551912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:28.151623964 CET497551912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:28.157917976 CET19124975587.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:49.550605059 CET19124975587.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:49.550678015 CET497551912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:49.551058054 CET497551912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:54.568223953 CET499071912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:54.573081017 CET19124990787.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:54.574012041 CET499071912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:54.574389935 CET499071912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:00:54.579178095 CET19124990787.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 23:01:15.948374033 CET19124990787.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 23:01:15.948515892 CET499071912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:01:15.948875904 CET499071912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:01:20.969451904 CET500131912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:01:20.974478960 CET19125001387.120.120.86192.168.2.4
                                                                                                                                                                                                                                      Jan 10, 2025 23:01:20.974548101 CET500131912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:01:20.976686001 CET500131912192.168.2.487.120.120.86
                                                                                                                                                                                                                                      Jan 10, 2025 23:01:20.981520891 CET19125001387.120.120.86192.168.2.4

                                                                                                                                                                                                                                      Statistics

                                                                                                                                                                                                                                      CPU Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      Memory Usage

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      High Level Behavior Distribution

                                                                                                                                                                                                                                      Click to dive into process behavior distribution

                                                                                                                                                                                                                                      Behavior

                                                                                                                                                                                                                                      Click to jump to process

                                                                                                                                                                                                                                      System Behavior

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:0
                                                                                                                                                                                                                                      Start time:16:59:31
                                                                                                                                                                                                                                      Start date:10/01/2025
                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\C5Zr4LSzmp.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\C5Zr4LSzmp.exe"
                                                                                                                                                                                                                                      Imagebase:0xd50000
                                                                                                                                                                                                                                      File size:872'448 bytes
                                                                                                                                                                                                                                      MD5 hash:1CD6AFE88BA532CA70C927D90314EAC8
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1731189168.0000000004457000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1731189168.00000000042A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Has exited:true

                                                                                                                                                                                                                                      General

                                                                                                                                                                                                                                      Target ID:2
                                                                                                                                                                                                                                      Start time:16:59:33
                                                                                                                                                                                                                                      Start date:10/01/2025
                                                                                                                                                                                                                                      Path:C:\Users\user\Desktop\C5Zr4LSzmp.exe
                                                                                                                                                                                                                                      Wow64 process (32bit):true
                                                                                                                                                                                                                                      Commandline:"C:\Users\user\Desktop\C5Zr4LSzmp.exe"
                                                                                                                                                                                                                                      Imagebase:0x860000
                                                                                                                                                                                                                                      File size:872'448 bytes
                                                                                                                                                                                                                                      MD5 hash:1CD6AFE88BA532CA70C927D90314EAC8
                                                                                                                                                                                                                                      Has elevated privileges:true
                                                                                                                                                                                                                                      Has administrator privileges:true
                                                                                                                                                                                                                                      Programmed in:C, C++ or other language
                                                                                                                                                                                                                                      Yara matches:
                                                                                                                                                                                                                                      • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.2964259097.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                      Reputation:low
                                                                                                                                                                                                                                      Has exited:false

                                                                                                                                                                                                                                      Disassembly

                                                                                                                                                                                                                                      Reset < >

                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                        Execution Coverage:10.1%
                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                        Signature Coverage:1.1%
                                                                                                                                                                                                                                        Total number of Nodes:177
                                                                                                                                                                                                                                        Total number of Limit Nodes:5
                                                                                                                                                                                                                                        execution_graph 53194 678efc8 53195 678f016 DrawTextExW 53194->53195 53197 678f06e 53195->53197 53016 84164d5 53017 84164db 53016->53017 53018 841610c 53017->53018 53022 8416aa8 12 API calls 53017->53022 53029 8416ab8 53017->53029 53019 841611b 53018->53019 53021 8416ab8 12 API calls 53018->53021 53024 8416aa8 53018->53024 53021->53018 53022->53018 53025 8416acd 53024->53025 53034 8416b74 53025->53034 53053 8416afc 53025->53053 53026 8416adf 53026->53018 53030 8416acd 53029->53030 53032 8416b74 12 API calls 53030->53032 53033 8416afc 12 API calls 53030->53033 53031 8416adf 53031->53018 53032->53031 53033->53031 53035 8416b2e 53034->53035 53037 8416b83 53034->53037 53036 8416b1a 53035->53036 53071 8416ee0 53035->53071 53076 8416efc 53035->53076 53080 84172da 53035->53080 53084 84171ba 53035->53084 53094 841799b 53035->53094 53099 84174b8 53035->53099 53104 8417258 53035->53104 53108 8417898 53035->53108 53115 84171d4 53035->53115 53119 84173cc 53035->53119 53124 84175ab 53035->53124 53128 8417146 53035->53128 53133 84170e5 53035->53133 53138 84175e5 53035->53138 53142 8417063 53035->53142 53036->53026 53054 8416b12 53053->53054 53055 8416b1a 53054->53055 53056 8416ee0 2 API calls 53054->53056 53057 8417063 2 API calls 53054->53057 53058 84175e5 2 API calls 53054->53058 53059 84170e5 2 API calls 53054->53059 53060 8417146 2 API calls 53054->53060 53061 84175ab 2 API calls 53054->53061 53062 84173cc 2 API calls 53054->53062 53063 84171d4 2 API calls 53054->53063 53064 8417898 2 API calls 53054->53064 53065 8417258 2 API calls 53054->53065 53066 84174b8 2 API calls 53054->53066 53067 841799b 2 API calls 53054->53067 53068 84171ba 4 API calls 53054->53068 53069 84172da 2 API calls 53054->53069 53070 8416efc 2 API calls 53054->53070 53055->53026 53056->53055 53057->53055 53058->53055 53059->53055 53060->53055 53061->53055 53062->53055 53063->53055 53064->53055 53065->53055 53066->53055 53067->53055 53068->53055 53069->53055 53070->53055 53072 8416ee9 53071->53072 53146 8415cf0 53072->53146 53150 8415ce4 53072->53150 53077 8416f38 53076->53077 53078 8415cf0 CreateProcessA 53076->53078 53079 8415ce4 CreateProcessA 53076->53079 53077->53036 53078->53077 53079->53077 53154 84158d0 53080->53154 53158 84158c8 53080->53158 53081 84172f4 53085 84171c0 53084->53085 53086 841714a 53085->53086 53088 8417103 53085->53088 53089 8417118 53086->53089 53090 84158d0 Wow64SetThreadContext 53086->53090 53091 84158c8 Wow64SetThreadContext 53086->53091 53087 8417165 53087->53036 53088->53089 53162 8415820 53088->53162 53166 8415818 53088->53166 53089->53036 53090->53087 53091->53087 53095 8416ee9 53094->53095 53097 8415cf0 CreateProcessA 53095->53097 53098 8415ce4 CreateProcessA 53095->53098 53096 8416f38 53096->53036 53097->53096 53098->53096 53100 84173d3 53099->53100 53100->53099 53170 8415a60 53100->53170 53174 8415a68 53100->53174 53101 841782a 53106 8415a60 WriteProcessMemory 53104->53106 53107 8415a68 WriteProcessMemory 53104->53107 53105 8417289 53106->53105 53107->53105 53109 841789e 53108->53109 53113 8415b50 ReadProcessMemory 53109->53113 53182 8415b58 53109->53182 53110 841789f 53112 8415b58 ReadProcessMemory 53110->53112 53178 8415b50 53110->53178 53112->53110 53113->53110 53117 8415a60 WriteProcessMemory 53115->53117 53118 8415a68 WriteProcessMemory 53115->53118 53116 8417137 53116->53036 53117->53116 53118->53116 53120 84173d2 53119->53120 53122 8415a60 WriteProcessMemory 53120->53122 53123 8415a68 WriteProcessMemory 53120->53123 53121 841782a 53122->53121 53123->53121 53125 841708f 53124->53125 53126 8415b50 ReadProcessMemory 53125->53126 53127 8415b58 ReadProcessMemory 53125->53127 53126->53125 53127->53125 53129 841714a 53128->53129 53131 84158d0 Wow64SetThreadContext 53129->53131 53132 84158c8 Wow64SetThreadContext 53129->53132 53130 8417165 53130->53036 53131->53130 53132->53130 53134 84170eb 53133->53134 53136 8415820 ResumeThread 53134->53136 53137 8415818 ResumeThread 53134->53137 53135 8417118 53136->53135 53137->53135 53186 84159a0 53138->53186 53190 84159a8 53138->53190 53139 8416f60 53139->53036 53143 8417069 53142->53143 53144 8415b50 ReadProcessMemory 53143->53144 53145 8415b58 ReadProcessMemory 53143->53145 53144->53143 53145->53143 53147 8415d79 CreateProcessA 53146->53147 53149 8415f3b 53147->53149 53151 8415d79 CreateProcessA 53150->53151 53153 8415f3b 53151->53153 53155 8415915 Wow64SetThreadContext 53154->53155 53157 841595d 53155->53157 53157->53081 53159 8415915 Wow64SetThreadContext 53158->53159 53161 841595d 53159->53161 53161->53081 53163 8415860 ResumeThread 53162->53163 53165 8415891 53163->53165 53165->53089 53167 8415860 ResumeThread 53166->53167 53169 8415891 53167->53169 53169->53089 53171 8415ab0 WriteProcessMemory 53170->53171 53173 8415b07 53171->53173 53173->53101 53175 8415ab0 WriteProcessMemory 53174->53175 53177 8415b07 53175->53177 53177->53101 53179 8415ba3 ReadProcessMemory 53178->53179 53181 8415be7 53179->53181 53181->53110 53183 8415ba3 ReadProcessMemory 53182->53183 53185 8415be7 53183->53185 53185->53110 53187 84159e8 VirtualAllocEx 53186->53187 53189 8415a25 53187->53189 53189->53139 53191 84159e8 VirtualAllocEx 53190->53191 53193 8415a25 53191->53193 53193->53139 52995 56e4668 52996 56e4669 52995->52996 52997 56e4686 52996->52997 52999 56e4778 52996->52999 53000 56e477c 52999->53000 53004 56e4878 53000->53004 53008 56e4888 53000->53008 53006 56e4880 53004->53006 53005 56e498c 53005->53005 53006->53005 53012 56e44b4 53006->53012 53010 56e4889 53008->53010 53009 56e498c 53009->53009 53010->53009 53011 56e44b4 CreateActCtxA 53010->53011 53011->53009 53013 56e5918 CreateActCtxA 53012->53013 53015 56e59db 53013->53015 53221 56eb218 53222 56eb21d 53221->53222 53225 56eb300 53222->53225 53223 56eb227 53227 56eb304 53225->53227 53226 56eb2b5 53226->53223 53227->53226 53228 56eb548 GetModuleHandleW 53227->53228 53229 56eb575 53228->53229 53229->53223 53198 8417ea8 53199 8418033 53198->53199 53201 8417ece 53198->53201 53201->53199 53202 8412604 53201->53202 53203 8418128 PostMessageW 53202->53203 53204 8418194 53203->53204 53204->53201 53205 56ed580 53206 56ed5c6 53205->53206 53210 56ed75b 53206->53210 53214 56ed760 53206->53214 53207 56ed6b3 53211 56ed760 53210->53211 53217 56ed090 53211->53217 53215 56ed090 DuplicateHandle 53214->53215 53216 56ed78e 53215->53216 53216->53207 53218 56ed7c8 DuplicateHandle 53217->53218 53220 56ed78e 53218->53220 53220->53207

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 07A14117 Relevance: 8.9, Strings: 5, Instructions: 2608COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (osq$4'sq$4'sq$4'sq$4'sq
                                                                                                                                                                                                                                        • API String ID: 0-1963001078
                                                                                                                                                                                                                                        • Opcode ID: 7146d0fb18f98335cf446258c4ede97ebcc8a475ee7a1ffab9e8e014a9b459a6
                                                                                                                                                                                                                                        • Instruction ID: b787c787436a0332dfc225d0e3078b8f2331a0209811787f0f4bdc8c9258937e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7146d0fb18f98335cf446258c4ede97ebcc8a475ee7a1ffab9e8e014a9b459a6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E443E8B4E00219CFDB64DF68C888A9DB7B2BF89310F158599E459AB361DB31ED81CF44
                                                                                                                                                                                                                                        Function 07A13668 Relevance: 7.0, Strings: 5, Instructions: 722COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (osq$(osq$,wq$,wq$Hwq
                                                                                                                                                                                                                                        • API String ID: 0-660065146
                                                                                                                                                                                                                                        • Opcode ID: e83e3fb356071bdad5f6a66458637a35bedcf61afc262f5a7d2801d3d5c3f9bc
                                                                                                                                                                                                                                        • Instruction ID: 233667a8a249c8405554db4028cb49a7ba188eee1beb23b943c3255cfb27d69c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e83e3fb356071bdad5f6a66458637a35bedcf61afc262f5a7d2801d3d5c3f9bc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4E525DB5B00116DFEF18DF69C494A6DBBB6BF84310B158169E916DB3A0DB31EC41CB90
                                                                                                                                                                                                                                        Function 07A11240 Relevance: 1.9, Strings: 1, Instructions: 649COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1670 7a11240-7a11271 1671 7a11273 1670->1671 1672 7a11278-7a1133d 1670->1672 1671->1672 1678 7a1138b-7a1139c 1672->1678 1679 7a1133f-7a11377 1678->1679 1680 7a1139e-7a11406 1678->1680 1683 7a11379 1679->1683 1684 7a1137e-7a11388 1679->1684 1688 7a11c60-7a11c8b 1680->1688 1683->1684 1684->1678 1690 7a11cb8-7a11cba 1688->1690 1691 7a11c8d-7a11cb6 1688->1691 1692 7a11cc0-7a11cd4 1690->1692 1691->1692 1694 7a1140b-7a11412 1692->1694 1695 7a11cda-7a11ce1 1692->1695 1696 7a11464-7a1149f 1694->1696 1698 7a114a5-7a114ae 1696->1698 1699 7a11414-7a1142a 1696->1699 1700 7a114b1-7a114e5 1698->1700 1701 7a11431-7a1144f 1699->1701 1702 7a1142c 1699->1702 1706 7a11504-7a1152b 1700->1706 1707 7a114e7-7a11501 1700->1707 1703 7a11451 1701->1703 1704 7a11456-7a11461 1701->1704 1702->1701 1703->1704 1704->1696 1710 7a11558 1706->1710 1711 7a1152d-7a11556 1706->1711 1707->1706 1712 7a11562-7a11570 1710->1712 1711->1712 1714 7a11660-7a1170d 1712->1714 1715 7a11576-7a1157d 1712->1715 1737 7a11713-7a11715 1714->1737 1738 7a1170f 1714->1738 1716 7a11643-7a11654 1715->1716 1717 7a11582-7a11598 1716->1717 1718 7a1165a-7a1165b 1716->1718 1720 7a1159a 1717->1720 1721 7a1159f-7a115fd 1717->1721 1722 7a11c07-7a11c42 1718->1722 1720->1721 1732 7a11604-7a11629 1721->1732 1733 7a115ff 1721->1733 1722->1700 1727 7a11c48-7a11c5f 1722->1727 1727->1688 1739 7a1162b-7a11637 1732->1739 1740 7a1163f-7a11640 1732->1740 1733->1732 1743 7a1171c-7a11723 1737->1743 1741 7a11711 1738->1741 1742 7a11717 1738->1742 1739->1740 1740->1716 1741->1737 1742->1743 1744 7a11731-7a11762 1743->1744 1745 7a11725-7a1172e 1743->1745 1747 7a117b5-7a117f0 1744->1747 1745->1744 1749 7a11764-7a11779 1747->1749 1750 7a117f6-7a11809 1747->1750 1752 7a11780-7a1179e 1749->1752 1753 7a1177b 1749->1753 1754 7a11811-7a11831 1750->1754 1755 7a1180b-7a119b2 1750->1755 1756 7a117a0 1752->1756 1757 7a117a5-7a117b2 1752->1757 1753->1752 1763 7a1183a-7a118fd 1754->1763 1760 7a119b4-7a119b5 1755->1760 1761 7a119ba-7a11a59 1755->1761 1756->1757 1757->1747 1762 7a11bc2-7a11bef 1760->1762 1781 7a11a60-7a11a92 1761->1781 1782 7a11a5b 1761->1782 1766 7a11bf1-7a11c05 1762->1766 1767 7a11c06 1762->1767 1779 7a11904-7a11917 1763->1779 1780 7a118ff 1763->1780 1766->1767 1767->1722 1783 7a11919 1779->1783 1784 7a1191e-7a1192b 1779->1784 1780->1779 1788 7a11a94 1781->1788 1789 7a11a99-7a11acb 1781->1789 1782->1781 1783->1784 1785 7a11932-7a11956 1784->1785 1786 7a1192d 1784->1786 1792 7a11958 1785->1792 1793 7a1195d-7a11977 1785->1793 1786->1785 1788->1789 1794 7a11ad2-7a11b2f 1789->1794 1795 7a11acd 1789->1795 1792->1793 1796 7a119a2-7a119a3 1793->1796 1797 7a11979-7a11998 1793->1797 1802 7a11b81-7a11ba3 1794->1802 1803 7a11b31-7a11b7b 1794->1803 1795->1794 1796->1762 1798 7a1199a 1797->1798 1799 7a1199f 1797->1799 1798->1799 1799->1796 1806 7a11bad-7a11bc0 1802->1806 1803->1802 1806->1762
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                        • Opcode ID: 75d1acc0acacea8b669f19eb3b766732696896566fe476a143d7ff19176789d6
                                                                                                                                                                                                                                        • Instruction ID: eb0b061c4a40733d9dd3e0a1cd10981796c317790eacfffdb95b89ede02d0926
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 75d1acc0acacea8b669f19eb3b766732696896566fe476a143d7ff19176789d6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B262D0B4E05229CFDB64DF69C984BDEBBB2BB89301F1081E9D519A7250DB309E85CF50
                                                                                                                                                                                                                                        Function 08418AA8 Relevance: .3, Instructions: 339COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e507d7043bcac5d719c18b0fac5ecdeb003187987cb435ea5fc860c1ccfa8360
                                                                                                                                                                                                                                        • Instruction ID: efaa54825e66f8dee36bcd26bccca95e88c47be82e7e18cee3b33474c5df45bb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e507d7043bcac5d719c18b0fac5ecdeb003187987cb435ea5fc860c1ccfa8360
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5C17870B027048FDB2ADB76C85476FB7E6AF89601F14846ED156DB390DB38E902CB51
                                                                                                                                                                                                                                        Function 056E3E34 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1732888484.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_56e0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 65f9f2d77852d591bbe8a22512bbcc8d1726add21171de9017d1b8904b36e39e
                                                                                                                                                                                                                                        • Instruction ID: e93f01b199fc849df05c19fe9a8127c7fdbb74ecd8f9064e830bb62f6713a8a1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65f9f2d77852d591bbe8a22512bbcc8d1726add21171de9017d1b8904b36e39e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2581B474E01209DBDF18DFE9D894AAEBBB2FF89300F208129D915AB364DB345942DF51
                                                                                                                                                                                                                                        Function 056E6F90 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1732888484.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_56e0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 79f6b2303e71b3ba8b97663dfd51d1cb83cd062b41311c49fc664e3894b05e55
                                                                                                                                                                                                                                        • Instruction ID: c39048fc505bf322e14dc789fc36007eebf67fc91659d5165ba4711ed5e8f1ad
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 79f6b2303e71b3ba8b97663dfd51d1cb83cd062b41311c49fc664e3894b05e55
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B51C6B0E022499FCB18DFE9D894ADEBBB2FF89300F148529D415BB364DB345946CB91
                                                                                                                                                                                                                                        Function 08416EE0 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d6bbffbaac3db846d8a102b6bc9104befd3962f08500912af5f27bffa75ad898
                                                                                                                                                                                                                                        • Instruction ID: 8f8720e1a68b87d26d645d1c6f0abb2e48b83888c428391c86769f4d92a1ae43
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6bbffbaac3db846d8a102b6bc9104befd3962f08500912af5f27bffa75ad898
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 82411274E09228CFDF60CF54C945BE9B7B9BB19302F1090DAE949A7285D7B09AC6CF50
                                                                                                                                                                                                                                        Function 07A1A348 Relevance: 3.9, Strings: 3, Instructions: 156COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1323 7a1a348-7a1a35f 1325 7a1a361-7a1a370 1323->1325 1326 7a1a3c2-7a1a3d0 1323->1326 1325->1326 1329 7a1a372-7a1a37e call 7a18a74 1325->1329 1330 7a1a3e3-7a1a3e5 1326->1330 1331 7a1a3d2-7a1a3dd call 7a18a34 1326->1331 1337 7a1a380-7a1a38c call 7a18a84 1329->1337 1338 7a1a392-7a1a3ae 1329->1338 1374 7a1a3e7 call 6782b38 1330->1374 1375 7a1a3e7 call 6782b29 1330->1375 1331->1330 1339 7a1a4a1-7a1a4f6 1331->1339 1334 7a1a3ec-7a1a3fb 1343 7a1a413-7a1a416 1334->1343 1344 7a1a3fd-7a1a40c 1334->1344 1337->1338 1347 7a1a417-7a1a455 1337->1347 1352 7a1a3b4-7a1a3b8 1338->1352 1353 7a1a45c-7a1a49a 1338->1353 1365 7a1a4f8-7a1a4fc 1339->1365 1366 7a1a4fd-7a1a515 1339->1366 1344->1343 1347->1353 1352->1326 1353->1339 1365->1366 1370 7a1a517-7a1a51d 1366->1370 1371 7a1a52d-7a1a52e 1366->1371 1372 7a1a521-7a1a523 1370->1372 1373 7a1a51f 1370->1373 1372->1371 1373->1371 1374->1334 1375->1334
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Hwq$Hwq$Hwq
                                                                                                                                                                                                                                        • API String ID: 0-3312440009
                                                                                                                                                                                                                                        • Opcode ID: 9f9d5f472a10c85962fa2d44f285efd069f9ac835cae35716640162996eee835
                                                                                                                                                                                                                                        • Instruction ID: d3bc47ef3dc05af9b502bddd03e98bc97dee5485e6dfad0c9bf9708f8ac66597
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9f9d5f472a10c85962fa2d44f285efd069f9ac835cae35716640162996eee835
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7841E4B03052418BDB99AB78A55463E7BEBAFC5254B64487DD922CF384EF38CC02C765
                                                                                                                                                                                                                                        Function 080B9250 Relevance: 3.8, Strings: 3, Instructions: 99COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1376 80b9250-80b9276 1377 80b9333-80b9342 1376->1377 1379 80b934d-80b93ae 1377->1379 1394 80b932a 1379->1394 1396 80b9280 1394->1396 1397 80b9287-80b9331 1394->1397 1396->1377 1396->1397 1398 80b92b7-80b92d5 1396->1398 1399 80b9315-80b9329 1396->1399 1397->1394 1404 80b92dc-80b92e9 1398->1404 1405 80b92d7-80b92da 1398->1405 1406 80b92eb-80b92fa 1404->1406 1405->1406 1409 80b92fc-80b9302 1406->1409 1410 80b9312 1406->1410 1411 80b9306-80b9308 1409->1411 1412 80b9304 1409->1412 1410->1399 1411->1410 1412->1410
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8wq$8wq$8wq
                                                                                                                                                                                                                                        • API String ID: 0-3145463988
                                                                                                                                                                                                                                        • Opcode ID: 26b0914f48740cdeea7bf4e8d41977e528a9db7fc017f09f54be660c0e7df093
                                                                                                                                                                                                                                        • Instruction ID: a30ea3b69dc869fb881eb3a71326a3e0f64e4fb92cbc75cfbbe48bf73e97ad24
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 26b0914f48740cdeea7bf4e8d41977e528a9db7fc017f09f54be660c0e7df093
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00317674E08206DFCB4497F884555FDBFA3EBC9701F10856ADB46AB381EA354C0287A2
                                                                                                                                                                                                                                        Function 080B839F Relevance: 3.8, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1477 80b839f-80b83d7 1479 80b83e0-80b83e2 1477->1479 1480 80b83fa-80b8417 1479->1480 1481 80b83e4-80b83ea 1479->1481 1485 80b841d-80b8513 1480->1485 1486 80b8582-80b8587 1480->1486 1482 80b83ee-80b83f0 1481->1482 1483 80b83ec 1481->1483 1482->1480 1483->1480
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 8$$sq$$sq
                                                                                                                                                                                                                                        • API String ID: 0-1239462738
                                                                                                                                                                                                                                        • Opcode ID: 890e0f091738c93b4b4568cf5d12cc8205ecc6c35f3ff2ea7ef4ad5d96e82871
                                                                                                                                                                                                                                        • Instruction ID: f5d4add00126e93d6fb1efad43d8d7551ce517eb57a4147ea64ea86086c91634
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 890e0f091738c93b4b4568cf5d12cc8205ecc6c35f3ff2ea7ef4ad5d96e82871
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70012670B00205DBEB208B28DC277EE7266BB44B02F14CC76D9059F692EAA09C81C791
                                                                                                                                                                                                                                        Function 080B2AD8 Relevance: 2.7, Strings: 2, Instructions: 222COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1489 80b2ad8-80b2ae7 1490 80b2aef-80b2af1 1489->1490 1491 80b2b0b-80b2b78 call 80b20d8 1490->1491 1492 80b2af3-80b2b08 1490->1492 1501 80b2b7e-80b2b80 1491->1501 1502 80b2c24-80b2c3b 1491->1502 1503 80b2cb0-80b2d57 1501->1503 1504 80b2b86-80b2b91 call 80b22f0 1501->1504 1512 80b2c3d-80b2c3f 1502->1512 1513 80b2c41 1502->1513 1538 80b2d59-80b2d5f 1503->1538 1539 80b2d60-80b2d81 1503->1539 1510 80b2bae-80b2bb2 1504->1510 1511 80b2b93-80b2b95 1504->1511 1516 80b2c11-80b2c1a 1510->1516 1517 80b2bb4-80b2bc8 call 80b2418 1510->1517 1514 80b2ba0-80b2bab call 80b16cc 1511->1514 1515 80b2b97-80b2b9e 1511->1515 1519 80b2c46-80b2c48 1512->1519 1513->1519 1514->1510 1515->1510 1527 80b2bca-80b2bdb call 80b16cc 1517->1527 1528 80b2bde-80b2be2 1517->1528 1522 80b2c4a-80b2c76 1519->1522 1523 80b2c7d-80b2ca9 1519->1523 1522->1523 1523->1503 1527->1528 1532 80b2bea-80b2c03 1528->1532 1533 80b2be4 1528->1533 1541 80b2c0e 1532->1541 1542 80b2c05 1532->1542 1533->1532 1538->1539 1541->1516 1542->1541
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (wq$Hwq
                                                                                                                                                                                                                                        • API String ID: 0-584953801
                                                                                                                                                                                                                                        • Opcode ID: 154b63c7d99bf467029a3bd9737e459935781d3be5f322ba0f425c8b6ca64952
                                                                                                                                                                                                                                        • Instruction ID: 1644d108cc5bd371cc35a6c40fad3429d108fc95ec705f833c0cf55b13c79fdc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 154b63c7d99bf467029a3bd9737e459935781d3be5f322ba0f425c8b6ca64952
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 92719D75A002198FDB54EFA9D9487EEBBE6EB88311F14842DD405EB350DF389D02CBA5
                                                                                                                                                                                                                                        Function 080BED78 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1610 80bed78-80bed9b 1611 80bed9d 1610->1611 1612 80beda2-80bef68 1610->1612 1611->1612 1627 80bef84-80bef85 1612->1627 1629 80bef6a-80bef7e 1627->1629 1630 80beea3-80beeba call 80bed20 1627->1630 1629->1627 1634 80bede2-80bede7 1630->1634 1635 80beec0-80beec6 1630->1635 1636 80bede9-80bedea 1634->1636 1637 80bee16-80bee86 1634->1637 1635->1634 1636->1637 1643 80bee88 call 8410601 1637->1643 1644 80bee88 call 8410040 1637->1644 1645 80bee88 call 84100e0 1637->1645 1646 80bee88 call 8410874 1637->1646 1647 80bee88 call 84104d4 1637->1647 1648 80bee88 call 8410006 1637->1648 1649 80bee88 call 8410918 1637->1649 1650 80bee88 call 8410458 1637->1650 1651 80bee88 call 841067b 1637->1651 1652 80bee88 call 84100fe 1637->1652 1642 80bee8e-80bee98 1643->1642 1644->1642 1645->1642 1646->1642 1647->1642 1648->1642 1649->1642 1650->1642 1651->1642 1652->1642
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Tesq$Tesq
                                                                                                                                                                                                                                        • API String ID: 0-1365298620
                                                                                                                                                                                                                                        • Opcode ID: 11c21bae5c08c9b7d178227e70f9b62877221504159b370494f27e111afeadc1
                                                                                                                                                                                                                                        • Instruction ID: d8812c4dec5eb05830389582d0c4902d991c4d2aab54936e5dfe6cab516b5c91
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 11c21bae5c08c9b7d178227e70f9b62877221504159b370494f27e111afeadc1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D151C274E04249CFDB44DFEAC884AEDBBB6BF89301F108129E519AB365DB305946CF50
                                                                                                                                                                                                                                        Function 080B82D0 Relevance: 2.5, Strings: 2, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1653 80b82d0-80b8335 call 80b839f 1657 80b833b-80b833d 1653->1657 1661 80b82fc-80b830b 1657->1661 1662 80b82e6-80b82ec 1657->1662 1665 80b833f-80b8357 1661->1665 1666 80b830d-80b831a 1661->1666 1663 80b82ee 1662->1663 1664 80b82f0-80b82f2 1662->1664 1663->1661 1664->1661 1666->1665 1667 80b831c-80b8332 1666->1667
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $sq$$sq
                                                                                                                                                                                                                                        • API String ID: 0-1184984226
                                                                                                                                                                                                                                        • Opcode ID: 953f9e70ec600e8c0222782ab82f95f753488c98d42b3dbb43266616f2674dc0
                                                                                                                                                                                                                                        • Instruction ID: 9d089b3520f33694fbe671cd0b04fcca3d4e871284d3386004fa0e701c48c0d8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 953f9e70ec600e8c0222782ab82f95f753488c98d42b3dbb43266616f2674dc0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F801B17060E241DFC3558BACD8152AABBFBBB06383F04C2FAD509CB162C7358841C76A
                                                                                                                                                                                                                                        Function 08415CE4 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1809 8415ce4-8415d85 1811 8415d87-8415d91 1809->1811 1812 8415dbe-8415dde 1809->1812 1811->1812 1813 8415d93-8415d95 1811->1813 1819 8415de0-8415dea 1812->1819 1820 8415e17-8415e46 1812->1820 1815 8415d97-8415da1 1813->1815 1816 8415db8-8415dbb 1813->1816 1817 8415da3 1815->1817 1818 8415da5-8415db4 1815->1818 1816->1812 1817->1818 1818->1818 1821 8415db6 1818->1821 1819->1820 1822 8415dec-8415dee 1819->1822 1826 8415e48-8415e52 1820->1826 1827 8415e7f-8415f39 CreateProcessA 1820->1827 1821->1816 1824 8415e11-8415e14 1822->1824 1825 8415df0-8415dfa 1822->1825 1824->1820 1828 8415dfc 1825->1828 1829 8415dfe-8415e0d 1825->1829 1826->1827 1830 8415e54-8415e56 1826->1830 1840 8415f42-8415fc8 1827->1840 1841 8415f3b-8415f41 1827->1841 1828->1829 1829->1829 1831 8415e0f 1829->1831 1832 8415e79-8415e7c 1830->1832 1833 8415e58-8415e62 1830->1833 1831->1824 1832->1827 1835 8415e64 1833->1835 1836 8415e66-8415e75 1833->1836 1835->1836 1836->1836 1837 8415e77 1836->1837 1837->1832 1851 8415fd8-8415fdc 1840->1851 1852 8415fca-8415fce 1840->1852 1841->1840 1854 8415fec-8415ff0 1851->1854 1855 8415fde-8415fe2 1851->1855 1852->1851 1853 8415fd0 1852->1853 1853->1851 1857 8416000-8416004 1854->1857 1858 8415ff2-8415ff6 1854->1858 1855->1854 1856 8415fe4 1855->1856 1856->1854 1860 8416016-841601d 1857->1860 1861 8416006-841600c 1857->1861 1858->1857 1859 8415ff8 1858->1859 1859->1857 1862 8416034 1860->1862 1863 841601f-841602e 1860->1863 1861->1860 1865 8416035 1862->1865 1863->1862 1865->1865
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08415F26
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                                                                                                        • Opcode ID: 722d38d33a4dbf7ae2ff42786fa5bcbedae4ad7ce01844c5420fb25da853db58
                                                                                                                                                                                                                                        • Instruction ID: 2fdb34bd99380a3503aa22297927bddf8b853d65328a8f8c22fed848b494b988
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 722d38d33a4dbf7ae2ff42786fa5bcbedae4ad7ce01844c5420fb25da853db58
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4A15B71D01219DFDF24CF68C945BEEBBB2EF88311F1581AAE809A7240D7749985CF91
                                                                                                                                                                                                                                        Function 08415CF0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1866 8415cf0-8415d85 1868 8415d87-8415d91 1866->1868 1869 8415dbe-8415dde 1866->1869 1868->1869 1870 8415d93-8415d95 1868->1870 1876 8415de0-8415dea 1869->1876 1877 8415e17-8415e46 1869->1877 1872 8415d97-8415da1 1870->1872 1873 8415db8-8415dbb 1870->1873 1874 8415da3 1872->1874 1875 8415da5-8415db4 1872->1875 1873->1869 1874->1875 1875->1875 1878 8415db6 1875->1878 1876->1877 1879 8415dec-8415dee 1876->1879 1883 8415e48-8415e52 1877->1883 1884 8415e7f-8415f39 CreateProcessA 1877->1884 1878->1873 1881 8415e11-8415e14 1879->1881 1882 8415df0-8415dfa 1879->1882 1881->1877 1885 8415dfc 1882->1885 1886 8415dfe-8415e0d 1882->1886 1883->1884 1887 8415e54-8415e56 1883->1887 1897 8415f42-8415fc8 1884->1897 1898 8415f3b-8415f41 1884->1898 1885->1886 1886->1886 1888 8415e0f 1886->1888 1889 8415e79-8415e7c 1887->1889 1890 8415e58-8415e62 1887->1890 1888->1881 1889->1884 1892 8415e64 1890->1892 1893 8415e66-8415e75 1890->1893 1892->1893 1893->1893 1894 8415e77 1893->1894 1894->1889 1908 8415fd8-8415fdc 1897->1908 1909 8415fca-8415fce 1897->1909 1898->1897 1911 8415fec-8415ff0 1908->1911 1912 8415fde-8415fe2 1908->1912 1909->1908 1910 8415fd0 1909->1910 1910->1908 1914 8416000-8416004 1911->1914 1915 8415ff2-8415ff6 1911->1915 1912->1911 1913 8415fe4 1912->1913 1913->1911 1917 8416016-841601d 1914->1917 1918 8416006-841600c 1914->1918 1915->1914 1916 8415ff8 1915->1916 1916->1914 1919 8416034 1917->1919 1920 841601f-841602e 1917->1920 1918->1917 1922 8416035 1919->1922 1920->1919 1922->1922
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08415F26
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: CreateProcess
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 963392458-0
                                                                                                                                                                                                                                        • Opcode ID: c11279463a6eba65bbde866da94c103b3d7ed6a0ec2bca9c508e8e7c9fd7eab2
                                                                                                                                                                                                                                        • Instruction ID: bf1d7b86e70734443c1c62322646a94b067b4bcf93d1b0bca0365aa0b694600b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c11279463a6eba65bbde866da94c103b3d7ed6a0ec2bca9c508e8e7c9fd7eab2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 61914A71D01219CFDF24CF68C945BDEBBB2EB88311F1581AAE809A7240DB749985CF91
                                                                                                                                                                                                                                        Function 056EB300 Relevance: 1.7, APIs: 1, Instructions: 234COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 1923 56eb300-56eb302 1924 56eb309-56eb30a 1923->1924 1925 56eb304-56eb308 1923->1925 1927 56eb30c-56eb30e 1924->1927 1928 56eb311-56eb314 1924->1928 1925->1924 1926 56eb2b5-56eb2dd 1925->1926 1941 56eb2df-56eb2ea 1926->1941 1942 56eb2ec-56eb2f4 1926->1942 1929 56eb315-56eb31f 1927->1929 1930 56eb310 1927->1930 1928->1929 1931 56eb34b-56eb34f 1929->1931 1932 56eb321-56eb32e call 56eacc4 1929->1932 1930->1928 1935 56eb363-56eb3a4 1931->1935 1936 56eb351-56eb35b 1931->1936 1939 56eb344 1932->1939 1940 56eb330 1932->1940 1946 56eb3a6-56eb3ae 1935->1946 1947 56eb3b1-56eb3bf 1935->1947 1936->1935 1939->1931 1992 56eb336 call 56eb5fc 1940->1992 1993 56eb336 call 56eb5a8 1940->1993 1994 56eb336 call 56eb598 1940->1994 1945 56eb2f7-56eb2fc 1941->1945 1942->1945 1946->1947 1948 56eb3e3-56eb3e5 1947->1948 1949 56eb3c1-56eb3c6 1947->1949 1954 56eb3e8-56eb3ef 1948->1954 1951 56eb3c8-56eb3cf call 56eacd0 1949->1951 1952 56eb3d1 1949->1952 1950 56eb33c-56eb33e 1950->1939 1953 56eb480-56eb4fa 1950->1953 1956 56eb3d3-56eb3e1 1951->1956 1952->1956 1985 56eb4fc 1953->1985 1986 56eb501-56eb540 1953->1986 1957 56eb3fc-56eb403 1954->1957 1958 56eb3f1-56eb3f9 1954->1958 1956->1954 1960 56eb405-56eb40d 1957->1960 1961 56eb410-56eb419 call 56eace0 1957->1961 1958->1957 1960->1961 1966 56eb41b-56eb423 1961->1966 1967 56eb426-56eb42b 1961->1967 1966->1967 1968 56eb42d-56eb434 1967->1968 1969 56eb449-56eb44d 1967->1969 1968->1969 1971 56eb436-56eb446 call 56eacf0 call 56ead00 1968->1971 1995 56eb450 call 56eb888 1969->1995 1996 56eb450 call 56eb861 1969->1996 1971->1969 1974 56eb453-56eb456 1976 56eb458-56eb476 1974->1976 1977 56eb479-56eb47f 1974->1977 1976->1977 1985->1986 1987 56eb548-56eb573 GetModuleHandleW 1986->1987 1988 56eb542-56eb545 1986->1988 1989 56eb57c-56eb590 1987->1989 1990 56eb575-56eb57b 1987->1990 1988->1987 1990->1989 1992->1950 1993->1950 1994->1950 1995->1974 1996->1974
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1732888484.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_56e0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b65cc459c50770580d1e00b74954d2414cda23b24b3389c204080bb2fb5340f2
                                                                                                                                                                                                                                        • Instruction ID: 5389d4acba9599d201082c41512310dddd1a3f2818b15236399c03a47ac64608
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b65cc459c50770580d1e00b74954d2414cda23b24b3389c204080bb2fb5340f2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 66916670A02B458FD725CF69D44575ABBF2FF88204F048A2ED086CBB61DB75E846CB91
                                                                                                                                                                                                                                        Function 08412580 Relevance: 1.7, APIs: 1, Instructions: 204windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 08418185
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MessagePost
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 410705778-0
                                                                                                                                                                                                                                        • Opcode ID: ff404ebe33d7cc42dba9c60e6d866648da2ecc2961613d822c448e64a7f82a11
                                                                                                                                                                                                                                        • Instruction ID: e8075d8b02c8571d7a34b8e9ab3bbe9d01ee0d21462ea4a6b486d41c05c0680d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ff404ebe33d7cc42dba9c60e6d866648da2ecc2961613d822c448e64a7f82a11
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AD610672C093988FCB12DFA8D8957DABFF4EF46221F15409BC484EB252D2756804CBE6
                                                                                                                                                                                                                                        Function 056E590C Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 056E59C9
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1732888484.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_56e0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Create
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                                                                                                        • Opcode ID: 813e64544248b2075b2df24868b99d05846b3f61147a3b050e26702a528804b5
                                                                                                                                                                                                                                        • Instruction ID: 93ca4dd12b851f621cc67ca41b3957c9f9b85851a5b2df9093b59063853d7a6d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 813e64544248b2075b2df24868b99d05846b3f61147a3b050e26702a528804b5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6C41E0B0C01719CADF24CFA9C985BCEBBF5BF49308F60806AD409AB255DB756949CF50
                                                                                                                                                                                                                                        Function 056E44B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 056E59C9
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1732888484.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_56e0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Create
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                                                                                                        • Opcode ID: a608552c4450743f283f92aa1e3d538406aadc5f808efa8175e4f665a9d9a236
                                                                                                                                                                                                                                        • Instruction ID: a454f7ad3096d8194c534b531b7bf5dfb5bc29185e94042622e6526abb6f1879
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a608552c4450743f283f92aa1e3d538406aadc5f808efa8175e4f665a9d9a236
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C441E1B0C0161DCADF24CFA9C984B8EBBF5BF49304F60806AD409AB251DB756949CF90
                                                                                                                                                                                                                                        Function 08415A60 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08415AF8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                                                                        • Opcode ID: 28151e8330357994effd2f159a70d108f02743b6081b6cdcf5e6ae6f31e97a82
                                                                                                                                                                                                                                        • Instruction ID: 94be3349c11001a0c93145eb23ec29955bec56b0e451392f127e1ed538c6f9fe
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 28151e8330357994effd2f159a70d108f02743b6081b6cdcf5e6ae6f31e97a82
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B92125B19003499FCF10CFA9C981BDEBFF5BF88320F14842AE919A7250C7789944DB60
                                                                                                                                                                                                                                        Function 0678EFC0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0678F05F
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735261971.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_6780000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DrawText
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2175133113-0
                                                                                                                                                                                                                                        • Opcode ID: 53f5e03021490acd0276b4326ca77e6426787e1a28d53a2c66f3f726b810aed1
                                                                                                                                                                                                                                        • Instruction ID: dcd335ef9b32ce6da5c8e2960a7397dac54462af07f2156cb11b70d39fff2d2a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53f5e03021490acd0276b4326ca77e6426787e1a28d53a2c66f3f726b810aed1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D31E2B5D003099FCB10CF9AD884AAEFBF5FB48320F14842AE819A7310D375A940CFA0
                                                                                                                                                                                                                                        Function 08415A68 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08415AF8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MemoryProcessWrite
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3559483778-0
                                                                                                                                                                                                                                        • Opcode ID: 23db97571bb6e4d6459b8077fa0335473a614e84d3c41b3a5a2afa8a6c677cf2
                                                                                                                                                                                                                                        • Instruction ID: 94ceb18a7de07fe9f69eb13bef51b9c6fc2d114d02605706a60e06a092f9cd03
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 23db97571bb6e4d6459b8077fa0335473a614e84d3c41b3a5a2afa8a6c677cf2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EC2117B19003499FDF10CFA9C985BDEBBF5FF88310F14842AE519A7240C7789944DBA0
                                                                                                                                                                                                                                        Function 0678EFC8 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 0678F05F
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735261971.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_6780000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DrawText
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2175133113-0
                                                                                                                                                                                                                                        • Opcode ID: 92d64eb8f3bea342977cf72bb399020cb341dd61f2162daf4f235ac592c9d1c0
                                                                                                                                                                                                                                        • Instruction ID: 3580257d2afb335d603d0943e4a1ce870bba7f95265e471b90b3f36f6b03de1f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 92d64eb8f3bea342977cf72bb399020cb341dd61f2162daf4f235ac592c9d1c0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8A21C0B5D003099FDB10DF9AD884AAEFBF5FB48320F14842AE919A7310D775A944CFA0
                                                                                                                                                                                                                                        Function 08415B50 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08415BD8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                                                                                                        • Opcode ID: 39c46c98f5f28d6c4a3cebba49422567b948bc9652cdd4482336c52e226ca413
                                                                                                                                                                                                                                        • Instruction ID: 504f6a4b21cf2400578f80e1f799e89b2b8f617b73fbc27bb1271773d5b12eed
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39c46c98f5f28d6c4a3cebba49422567b948bc9652cdd4482336c52e226ca413
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 412136B1D003499FCF10CFAAC885AEEBBF5FF98320F14842AE519A7250C7799940DB60
                                                                                                                                                                                                                                        Function 056ED7C0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,056ED78E,?,?,?,?,?), ref: 056ED84F
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1732888484.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_56e0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                                                                                        • Opcode ID: 293ef15fc8f5121afa33b7932c583df01aed3b7b487032345a910742619abc6d
                                                                                                                                                                                                                                        • Instruction ID: b46860eaaba325c551b67b34166b635cb56a0b15f9fc419de51f38e81c89e1c9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 293ef15fc8f5121afa33b7932c583df01aed3b7b487032345a910742619abc6d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A721F4B5D11208AFDB10CF9AD985ADEBFF9FB49320F14841AE919A7310C374A940CFA1
                                                                                                                                                                                                                                        Function 084158C8 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0841594E
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                                                                        • Opcode ID: 9e7589ba8f781b00be8ca304babcdfc2496245ee37117d55d4a862241d073a21
                                                                                                                                                                                                                                        • Instruction ID: 99176f0aeeebb2b267d2c37bba0200b7b21d08df434ad5d126d7ac77fb05c73b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9e7589ba8f781b00be8ca304babcdfc2496245ee37117d55d4a862241d073a21
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D62125B1D103498EDB10CFAAC485BEEBFF5AF88324F14842AD459AB240C7789945CFA1
                                                                                                                                                                                                                                        Function 056ED090 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,056ED78E,?,?,?,?,?), ref: 056ED84F
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1732888484.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_56e0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                                                                                        • Opcode ID: 9a13c4ce18f1a89476dacf42546618c6fac62aaaceddbab65edc949dafe735e2
                                                                                                                                                                                                                                        • Instruction ID: 076801febab01a29cb044b83c1c1e45be232ae5125a5bacb2c89228c5b1c8c83
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a13c4ce18f1a89476dacf42546618c6fac62aaaceddbab65edc949dafe735e2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E621E5B5D01248DFDB10CF9AD584AEEBBF5FB48320F14841AE915A7350D374A940DFA1
                                                                                                                                                                                                                                        Function 084158D0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0841594E
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ContextThreadWow64
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 983334009-0
                                                                                                                                                                                                                                        • Opcode ID: 8a76b015f3288d7c158d055e63295b69cc385d59924f3013cd30f1105b8c3fd8
                                                                                                                                                                                                                                        • Instruction ID: 66c6675f912475d947023a9fbacc9580e103f5e8096c5230102c7b9b1aae5149
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8a76b015f3288d7c158d055e63295b69cc385d59924f3013cd30f1105b8c3fd8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CD2137B1D103098FDB10DFAAC4857EEBBF5AF88324F14842AD559A7240C7789944CBA1
                                                                                                                                                                                                                                        Function 08415B58 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08415BD8
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MemoryProcessRead
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 1726664587-0
                                                                                                                                                                                                                                        • Opcode ID: 303e666fea6a72b68fbec99eb3a8a7ee6f2c35b8564993b3c06483e3b21cb704
                                                                                                                                                                                                                                        • Instruction ID: 79caf1f9a815ee9ad876dafa3cf84dee20d48d94caa01fb53de87e2334167a46
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 303e666fea6a72b68fbec99eb3a8a7ee6f2c35b8564993b3c06483e3b21cb704
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C72128B1D003499FCF10CFAAC981ADEBBF5FF48320F54842AE519A7240C779A900DBA0
                                                                                                                                                                                                                                        Function 084159A0 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08415A16
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                                                        • Opcode ID: a13db518c4aa95c0b173a351be8dcfd04b24d7df85bdd7c35de590273ae4c3e1
                                                                                                                                                                                                                                        • Instruction ID: bb1230dad118a4f44bfb792d483cb935e02aeead6b85f2f1986b282793058d13
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a13db518c4aa95c0b173a351be8dcfd04b24d7df85bdd7c35de590273ae4c3e1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 851147B29002498ECF10DFAAD885ADEBFF5EF88320F24841AE519A7250C7759510DFA0
                                                                                                                                                                                                                                        Function 084159A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08415A16
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: AllocVirtual
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4275171209-0
                                                                                                                                                                                                                                        • Opcode ID: 2707b4841bbb42522552d589ea5d6f2ad8986268dc95bc76a7777fbf356915da
                                                                                                                                                                                                                                        • Instruction ID: 3d4188c88bc18c27ad0720182db7b082734195e07cfc1aa3aec3db98001bc7e8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2707b4841bbb42522552d589ea5d6f2ad8986268dc95bc76a7777fbf356915da
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A61126729003499FCF10DFAAD845BDEBFF5EF88320F24841AE519A7250CB75A940DBA0
                                                                                                                                                                                                                                        Function 08415818 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                                                                                        • Opcode ID: 4a4fe1a7af41fba8dfa83bb4f6affceedfb277904f18ac6aab61c323ffc4479d
                                                                                                                                                                                                                                        • Instruction ID: c263698e45218a8b66da363dc9839d372bce941761b917972e8b1ea9985916f0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a4fe1a7af41fba8dfa83bb4f6affceedfb277904f18ac6aab61c323ffc4479d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B11137B1D002898ECB20CFAAC4457DEBFF4AB88324F24845AD419AB250C6755944CB90
                                                                                                                                                                                                                                        Function 08415820 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: ResumeThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 947044025-0
                                                                                                                                                                                                                                        • Opcode ID: 639e5b1ff41924f83148c1f78f633445c6b09805e4e56c73f7393a24344925e8
                                                                                                                                                                                                                                        • Instruction ID: e9dd1da8688b4693628526b750251267a09af899a9a5484d626853bc83241a2a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 639e5b1ff41924f83148c1f78f633445c6b09805e4e56c73f7393a24344925e8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 121128B1D003498FDB20DFAAC4457DEFBF5EB88324F24841AD519A7240C7796944CBA0
                                                                                                                                                                                                                                        Function 056EB500 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 056EB566
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1732888484.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_56e0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                                                                                                                        • Opcode ID: 7d884e396c5f2038029df1847586371f14b6c9ecf16bbbb088756f6aed1da98d
                                                                                                                                                                                                                                        • Instruction ID: 981252461a82515b51ab2414d0d915651ea951d0dedd3fc16635ce199f6ba59a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d884e396c5f2038029df1847586371f14b6c9ecf16bbbb088756f6aed1da98d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3B11DFB6C012498FCB10CF9AD544B9EFBF4AB89324F14841AD419A7610C379A545CFA1
                                                                                                                                                                                                                                        Function 08418120 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 08418185
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MessagePost
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 410705778-0
                                                                                                                                                                                                                                        • Opcode ID: f3ac5633ccd5e3dcf473a332d92320ac4b343f2647a3bd5538b5b6d232cc4810
                                                                                                                                                                                                                                        • Instruction ID: f726efe3cae3abd60446a1622cb62fe1111587796ceecdf6696ad7170d2dc50b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f3ac5633ccd5e3dcf473a332d92320ac4b343f2647a3bd5538b5b6d232cc4810
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6311E3B5C002499ECB10CF99D985BDEFBF4EB58320F24845AE519A7610C3756544CFA1
                                                                                                                                                                                                                                        Function 08412604 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 08418185
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: MessagePost
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 410705778-0
                                                                                                                                                                                                                                        • Opcode ID: aa7297c8089cb982d05e2a7a45b0782654c4752857de1281345b3f9fe443ca50
                                                                                                                                                                                                                                        • Instruction ID: 030f66506e4285dd73536b4487e179e20eb1321c3e153349daad4387ff92db74
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa7297c8089cb982d05e2a7a45b0782654c4752857de1281345b3f9fe443ca50
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B911E3B58003499FCB10CF9AD985BDEFBF8EB59320F24841AE519A7200C375A944CFA1
                                                                                                                                                                                                                                        Function 080B2D98 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: (wq
                                                                                                                                                                                                                                        • API String ID: 0-1062398946
                                                                                                                                                                                                                                        • Opcode ID: f78d36cf0f0c57e7e9efd8f4ea7b709e975183bcffc0ece9fe8954230c375ffc
                                                                                                                                                                                                                                        • Instruction ID: 149e6dafc6993eaecc77698d48565a91dcaf0226ffea4c619806d146205fd2f7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f78d36cf0f0c57e7e9efd8f4ea7b709e975183bcffc0ece9fe8954230c375ffc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2171CE306002059FDB649B69D894BEEBBE7EFC4311F10892EE8169B394CF349D81CB91
                                                                                                                                                                                                                                        Function 07A13007 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: d8xq
                                                                                                                                                                                                                                        • API String ID: 0-2140977460
                                                                                                                                                                                                                                        • Opcode ID: 53033f6c6db1501161e8c3b4177f0b39a1de251b77501843f999f2144e5472f2
                                                                                                                                                                                                                                        • Instruction ID: c3657e2c38db0141721a0e945e60d00e987c52c9dae6e1a6a3958bb41ae27f3b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 53033f6c6db1501161e8c3b4177f0b39a1de251b77501843f999f2144e5472f2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 00718BB5B042099FDF05DF68D858A9DBBF2AF89711F158069E912EB391CB719C40CBA0
                                                                                                                                                                                                                                        Function 080B778F Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: %*&/)(#$^@!~-_
                                                                                                                                                                                                                                        • API String ID: 0-3325533558
                                                                                                                                                                                                                                        • Opcode ID: ad7c49e01b4b68521b5badf1b0be5df4280a58c637a915411dc8d7b23e22b100
                                                                                                                                                                                                                                        • Instruction ID: 246bd0026038a2c3fc4d3746bd3f6d4223905684ee9e5ac04c462dce352ce5bc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad7c49e01b4b68521b5badf1b0be5df4280a58c637a915411dc8d7b23e22b100
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D71B134B042059FDB04AB64D855AAEBBB2FFC9300F0489A9D8859F397CB746D46C7D1
                                                                                                                                                                                                                                        Function 080B77C8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: %*&/)(#$^@!~-_
                                                                                                                                                                                                                                        • API String ID: 0-3325533558
                                                                                                                                                                                                                                        • Opcode ID: 7a6be2d6568922b42edab437780eb1edde363c66c6450889d9f90886410f67dd
                                                                                                                                                                                                                                        • Instruction ID: 2f5e156b5ae1680f1c3b84c7d3d928e34858699f7f3b084c0a90529893fa9428
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7a6be2d6568922b42edab437780eb1edde363c66c6450889d9f90886410f67dd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 68619134B001059FDB04AB64D495AAEB7B2FFC8300F1489A9D895AF386CF74AD86C7C5
                                                                                                                                                                                                                                        Function 07A129B8 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Hwq
                                                                                                                                                                                                                                        • API String ID: 0-933684408
                                                                                                                                                                                                                                        • Opcode ID: 6b81fc15a27121fcf30f273a4a590d23355f0440d9066262f7432a7c4ac1f99a
                                                                                                                                                                                                                                        • Instruction ID: 9cc024578859cceb872b4debb07d109176532642adff5cfe25f5ef92e7d207ec
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6b81fc15a27121fcf30f273a4a590d23355f0440d9066262f7432a7c4ac1f99a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E21C230A04248AFEB54ABB49C45BEE7BB6FBC5300F10C456EA05DB284DA359D01CB90
                                                                                                                                                                                                                                        Function 07A129C8 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: Hwq
                                                                                                                                                                                                                                        • API String ID: 0-933684408
                                                                                                                                                                                                                                        • Opcode ID: 72a4d05a1927913fbbd828c90a47365d3b741e5b34383665ce76e813a78d3adf
                                                                                                                                                                                                                                        • Instruction ID: cfd5820924d9c0136acd8d36cfe158a2d27ba42297aefc1ac4799db18b2420a0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 72a4d05a1927913fbbd828c90a47365d3b741e5b34383665ce76e813a78d3adf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0C21A170B04244AFEB54ABB88C45BEE7BB6FBC5700F10C466EA05DB284DA759D058B94
                                                                                                                                                                                                                                        Function 080B8E68 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $sq
                                                                                                                                                                                                                                        • API String ID: 0-923501781
                                                                                                                                                                                                                                        • Opcode ID: f6f7b9d2f277e66c67b0aec957b21c99525fa13cf576688d9d8f7e93276d97db
                                                                                                                                                                                                                                        • Instruction ID: c6f1a32189a68204cb03ec0c4c2d65ab18117adf84aca57642126eedc70e7169
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f6f7b9d2f277e66c67b0aec957b21c99525fa13cf576688d9d8f7e93276d97db
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0521A12090D284DFC361966C94051FE7FEF9A43287B14C4FBD566CB1B2D6368841CBA2
                                                                                                                                                                                                                                        Function 080B8E58 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $sq
                                                                                                                                                                                                                                        • API String ID: 0-923501781
                                                                                                                                                                                                                                        • Opcode ID: e25ba82cdb329215092b20c9f5049fbcfb3e178cc5af8c734a3605268a654a5c
                                                                                                                                                                                                                                        • Instruction ID: 7650a19b25cbb2ccefd89ff31ea6c4e48c9ef7be079679347d7a5fe5451d8358
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e25ba82cdb329215092b20c9f5049fbcfb3e178cc5af8c734a3605268a654a5c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BC11D62090D244EFC760A66C98152FE7BDF97432C7B14C4BBD5268A172C63648018BB6
                                                                                                                                                                                                                                        Function 080B82CF Relevance: 1.3, Strings: 1, Instructions: 32COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: $sq
                                                                                                                                                                                                                                        • API String ID: 0-923501781
                                                                                                                                                                                                                                        • Opcode ID: 12166c2060bebdb6b276a9e20084b477b5d27d19b5c8f408a6624784f9f66b13
                                                                                                                                                                                                                                        • Instruction ID: b76f5144ef67232a2adba9c530ddc5c4b03b015f6de399a1384fd0362d217662
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 12166c2060bebdb6b276a9e20084b477b5d27d19b5c8f408a6624784f9f66b13
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3AF06D70A09601DBC3648B98E4056E9B7AFF7086C3F44C27AE90AC7221C7758880C79E
                                                                                                                                                                                                                                        Function 080B6D20 Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: G
                                                                                                                                                                                                                                        • API String ID: 0-985283518
                                                                                                                                                                                                                                        • Opcode ID: e83a0bad8e50a04e3ef6b9919d102bd04a9b339d4c7ac49d4dcf0755e47da198
                                                                                                                                                                                                                                        • Instruction ID: 7974fc9a4cf8c22502f3f76d84c6d6aa3474007676d58a03b42f4a330a6dc1a3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e83a0bad8e50a04e3ef6b9919d102bd04a9b339d4c7ac49d4dcf0755e47da198
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C7D0A7B080E1C8CFCB01CFA08E101EC3F3A9713302B0930C2C5598B652CB350E05EB2A
                                                                                                                                                                                                                                        Function 080B6D30 Relevance: 1.3, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: G
                                                                                                                                                                                                                                        • API String ID: 0-985283518
                                                                                                                                                                                                                                        • Opcode ID: 8e82190f5c6f18215c26c7769d1ba4f49c1d5dbd9fa57319c5af83b20e69c0de
                                                                                                                                                                                                                                        • Instruction ID: 3e2b89c54b9c0450c38780e304643da19b9b6a310b19b76d69096842d328c9ae
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e82190f5c6f18215c26c7769d1ba4f49c1d5dbd9fa57319c5af83b20e69c0de
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3AC012B080D108EBC604CE88D9066ACB7AE9740202F000084D90E82200CF321E109A86
                                                                                                                                                                                                                                        Function 07A10040 Relevance: .7, Instructions: 749COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d6e883ecd4604a10a3c09b47e2e54a54db3e2ec1ea92b7f388b70592eb8b1283
                                                                                                                                                                                                                                        • Instruction ID: edc0ed2c954aa88532eec7b609c2ad4fa709f4cbf41ad38573949cbab88b8ead
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6e883ecd4604a10a3c09b47e2e54a54db3e2ec1ea92b7f388b70592eb8b1283
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E6201B0D04B478AE7749FB5859939E7AA1EB81308F604A1FD1BACF750DB3494C2CB49
                                                                                                                                                                                                                                        Function 07A1C5F0 Relevance: .5, Instructions: 523COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 35c6257714346c2b279db3ceacc016197f05fa3fc688d0dc3cfda64b42ea650a
                                                                                                                                                                                                                                        • Instruction ID: d591cba04c8c4ea72b20ae64018ecc43f08b80a2496ef7dff6050db005ece07b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 35c6257714346c2b279db3ceacc016197f05fa3fc688d0dc3cfda64b42ea650a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16420270D1061DCFDB14EFA8C8846ECBBB1BF49300F518299D5597B265EB30AA98CF91
                                                                                                                                                                                                                                        Function 07A1C5E0 Relevance: .5, Instructions: 522COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fd87a15f302c3e9379fc521b056c17f3fb10b6304f905fb705239e71a2602bc3
                                                                                                                                                                                                                                        • Instruction ID: d774978b2fe2dee3e06ff66b8ea632d078107979b0bcdcec35950cc253f3320b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fd87a15f302c3e9379fc521b056c17f3fb10b6304f905fb705239e71a2602bc3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BF420270D10619CFDF14EFA8C8486ECBBB1BF49300F518299D5597B265EB30AA98CF91
                                                                                                                                                                                                                                        Function 07A10006 Relevance: .5, Instructions: 467COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d7a70bfb264504cc41b4b64c42a5e067eb12420b8a252828fb931d19d1d550b2
                                                                                                                                                                                                                                        • Instruction ID: 3aa7a1c03bf1ad3a21d57eff0639baf5fe0db775d91ea12d8b6128d08b011609
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d7a70bfb264504cc41b4b64c42a5e067eb12420b8a252828fb931d19d1d550b2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E72249F0909B478AE7749BA5848839EB690EB46308F704A5BC0FACE355D73590C7DB4E
                                                                                                                                                                                                                                        Function 080B3478 Relevance: .5, Instructions: 459COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: de1b7dd46faed2f13b48b34f05797660ff20a3132542b0cc23beee6ef6a4fdbc
                                                                                                                                                                                                                                        • Instruction ID: 99bb318ecc19b318bd4f06cd04ec91e03860c6a9b1d8ebf68d4b63811dfc99be
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de1b7dd46faed2f13b48b34f05797660ff20a3132542b0cc23beee6ef6a4fdbc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FFD1C1B0F01205DFCB15AB68C4986EEBFF2EF44206F6644A9D442A73A4DB30C861CB85
                                                                                                                                                                                                                                        Function 07A19738 Relevance: .3, Instructions: 341COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3a01b2b79beb775a9c01e342f25afe0cb61da75371a9e27ddcd423be2cb89ad3
                                                                                                                                                                                                                                        • Instruction ID: 901f18102b334308197a62585b6d444d350d9662653820a3625972f4ef02014d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3a01b2b79beb775a9c01e342f25afe0cb61da75371a9e27ddcd423be2cb89ad3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2B1CBF1E01209CFEB15DFA9D9546AEBBB2FFC8300F244569C425AB641DB309951CF62
                                                                                                                                                                                                                                        Function 080B0480 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fc4040b9ba004fadb224983bfc6e3659f73079cc2c5577a69f40e8810ebc8dbe
                                                                                                                                                                                                                                        • Instruction ID: 1902dc95a6f482f4db26fdfeb3fe0c2816807ec604df03493094fc27a60a5a5c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fc4040b9ba004fadb224983bfc6e3659f73079cc2c5577a69f40e8810ebc8dbe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 71F1C971D1061ACBCF10DFA8C8546EDB7B5FF48310F1086AAD559B7214EB70AA85CF90
                                                                                                                                                                                                                                        Function 080B0471 Relevance: .3, Instructions: 306COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 29c4820aea6c3847a0b03142c9e2ff41b9f899c228abea46fffc62eb38352b29
                                                                                                                                                                                                                                        • Instruction ID: 8f778e382e28f4d43a3cab319df5f650b400b6de93d46bb7b4022ddcbd998730
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 29c4820aea6c3847a0b03142c9e2ff41b9f899c228abea46fffc62eb38352b29
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DCE1D975D1061ACFCF10DFA8C8546EDB7B5BF48310F1086AAD559B7214EB70AA85CF90
                                                                                                                                                                                                                                        Function 07A17D60 Relevance: .3, Instructions: 291COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ded1735f10e78954f49e3c252d2f89d931741809dd2e1ce829f42360446dbdd8
                                                                                                                                                                                                                                        • Instruction ID: 56229c73351905092faa30a7dfcd173f8ebd993ec1aae1a3a7cc175b5f81481a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ded1735f10e78954f49e3c252d2f89d931741809dd2e1ce829f42360446dbdd8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDB135B5A00219CFDB04DF68C898AAEBBF6BF89710F1540A9E515EB3A1CB34DC41CB50
                                                                                                                                                                                                                                        Function 07A1BDB0 Relevance: .2, Instructions: 235COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 081f3afa0af4c320e99d5d4df3ac510a152b574dec520b49d5fcfc4ff9d325c8
                                                                                                                                                                                                                                        • Instruction ID: a076ea314fd3ec7575e57e944dc884c4d8575c30fa013036f387f32a8ef866dd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 081f3afa0af4c320e99d5d4df3ac510a152b574dec520b49d5fcfc4ff9d325c8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D491B3F1A10209DFDB11EF68D5886ADBFB1FF45300F108469E465AB2A4EB30D965CFA1
                                                                                                                                                                                                                                        Function 080B4AA1 Relevance: .2, Instructions: 235COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7e182ba7360bbd9a8ae9243eb12bf78ecb6589f988f39e7075eec3b66631df13
                                                                                                                                                                                                                                        • Instruction ID: 0c91cb394343b2980e576dc12c60e55eb6bfd29926ceae1e0f504e947fd761ca
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7e182ba7360bbd9a8ae9243eb12bf78ecb6589f988f39e7075eec3b66631df13
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5FB1C4759106198FDB50EF68D844ADCFBB1FF49314F05C299E949BB211EB30AA89CF90
                                                                                                                                                                                                                                        Function 080BB8EA Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 50fca5264df7b3a8cfd0b9c071d649d5c03c1217b676ae1383c4a142d9eb32a3
                                                                                                                                                                                                                                        • Instruction ID: e7c417b9c144a7c47fdb2ab889713a4b9fa01500db6330393576cacab0f9d096
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 50fca5264df7b3a8cfd0b9c071d649d5c03c1217b676ae1383c4a142d9eb32a3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60915574A09648CFC714DB68C8A0BFEBBF2BF45322F14896AD4559B345CB74AC41CB91
                                                                                                                                                                                                                                        Function 07A19AF8 Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 339d459d48f44423590adbebd50d0c278c0109e9da909e4400b82b10a3fc906e
                                                                                                                                                                                                                                        • Instruction ID: 3b4d0b9193bbf4cfe24ff5d7535e963c0c5830aca1b91d49130b159288fbbffc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 339d459d48f44423590adbebd50d0c278c0109e9da909e4400b82b10a3fc906e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9E91E3B4A0064A9FDB10CFA8C994ADEB7F2FF88310F048569E96997250E731E951CF50
                                                                                                                                                                                                                                        Function 080B0C38 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6fbd6d0f19d9f9f351735e1076558c7eef1a9ba180e41ae17fc8fb7830e462c1
                                                                                                                                                                                                                                        • Instruction ID: 020452c59d4aeddb02962108d55734d436c95dc82848146430b8ff94c67e35f8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6fbd6d0f19d9f9f351735e1076558c7eef1a9ba180e41ae17fc8fb7830e462c1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D51EA35A10609CFCB50EFA8C8948EEF7B6FF89211B148669D516B7354EB30E985CB90
                                                                                                                                                                                                                                        Function 080B1800 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bacf0ab75b4d7f8537d7b47b6a9c15f1a99b33dc9193f79ed2bda8dbc4d064f6
                                                                                                                                                                                                                                        • Instruction ID: 0fdac3a3dbe57fddfade7e34a5a5b09df963bda634ea75f1b2108a6b6725fbc4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bacf0ab75b4d7f8537d7b47b6a9c15f1a99b33dc9193f79ed2bda8dbc4d064f6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 11414B74A11205DFDB189F68E468AAEBBF7BF85302B148469E806E7294DF30D841CB91
                                                                                                                                                                                                                                        Function 080B0E40 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f8d1646ade5a454931f58ab6c55e93b84912704efab76e0f03209caa0d97013e
                                                                                                                                                                                                                                        • Instruction ID: 7d47a40cc6b136fa52d61c83dcb0a022762cf1ba6e35e4279d0d166b9f01a678
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f8d1646ade5a454931f58ab6c55e93b84912704efab76e0f03209caa0d97013e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 16516435B10609CFCB04EFA8D8849EEF7B5FF89300F00856AE515AB321EB71A945CB91
                                                                                                                                                                                                                                        Function 07A1C070 Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b72c0d1ca59fc8f946ee19b2ac2759e37a1bd271bb17c9a8945d101fce2afab9
                                                                                                                                                                                                                                        • Instruction ID: 48b3ba799b4df6e7d3efd331b0f2d05ce0ee1d7bd7b519dbd5976f2de8855d15
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b72c0d1ca59fc8f946ee19b2ac2759e37a1bd271bb17c9a8945d101fce2afab9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FF412AF0ED42579FEB02EF74C8496FA7BB1AF45260F120426D422E7295F6348910CBB1
                                                                                                                                                                                                                                        Function 080B0C2A Relevance: .1, Instructions: 126COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 69f7d455f829749363bc29ebf6171c48b5c765facbf134d4a1132310c6f89eeb
                                                                                                                                                                                                                                        • Instruction ID: acab2b2d86e68446437f30606df9ea0b6303fe392df9b5a797556aba296937f2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 69f7d455f829749363bc29ebf6171c48b5c765facbf134d4a1132310c6f89eeb
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 55414E31A00649CFCB50DFA8C8845EDFBB2FF89311B148669E516A7355EB34ED85CB90
                                                                                                                                                                                                                                        Function 07A1B6A0 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 227640a0c9efb2b0a6308a96fa9a1ee5a15216ba88a94798036e8ed5bf320177
                                                                                                                                                                                                                                        • Instruction ID: f7e971c46d137e77768aa2b5f8d842873990e685044478768ff597e4e0cbbf8e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 227640a0c9efb2b0a6308a96fa9a1ee5a15216ba88a94798036e8ed5bf320177
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D84194F0EE451B9FEB01AF74C9497EA7BB1EB45360F524425D422E7294F634C9108AB1
                                                                                                                                                                                                                                        Function 07A1AC68 Relevance: .1, Instructions: 123COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 32cdd18c78939dbc38b45cec44675b2e5553f995937f6c53b35757e35a45c354
                                                                                                                                                                                                                                        • Instruction ID: 31a0ff9c5c307f0510f42f28ac90a26275919f84fb1195635fa77611e80304fa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 32cdd18c78939dbc38b45cec44675b2e5553f995937f6c53b35757e35a45c354
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE416C70A026099FEB04DFA8D854AEDBBF2EF89311F148169E451BB3A0DB31AD40CB51
                                                                                                                                                                                                                                        Function 07A1AF90 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6fb9f061be5f50aea68480c4f1a7d574deb226b4f4860bd68be1b9d95a3564db
                                                                                                                                                                                                                                        • Instruction ID: ceac91f374ab230f830dcde52e43170ccc93b8d35b7a12955e6c84af27d0fca9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6fb9f061be5f50aea68480c4f1a7d574deb226b4f4860bd68be1b9d95a3564db
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2C4166B1E05209DBEF219FA9D9884ADFFB2FF88300F258159D5157B255CB3198A1CF81
                                                                                                                                                                                                                                        Function 07A137A7 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 21c33896fca9b581cc22e9c9b85c93139f7ba6e760b42e7f22bd58e6d7a1069c
                                                                                                                                                                                                                                        • Instruction ID: d26d5aefe91c407381434c50a9793a7cadb109d7600b05cd16731d1db8b9d1ad
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 21c33896fca9b581cc22e9c9b85c93139f7ba6e760b42e7f22bd58e6d7a1069c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 034125B1A0011A9BEF05DF64D894AAEBBB7FFC4301F148429FD129B294DB349C56CB90
                                                                                                                                                                                                                                        Function 07A1AC78 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ffc5f279d967bb26921cb864a04c7bd70b4f4aaa7ba2062c4d281a37d23460e7
                                                                                                                                                                                                                                        • Instruction ID: c056d875723f83fe3983172801a9259ab6c01c3f907a91cfdd8b01d661923cbf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ffc5f279d967bb26921cb864a04c7bd70b4f4aaa7ba2062c4d281a37d23460e7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 70416B70A02609DFEB04DFA8D854AADBBF6EF89311F148169E451BB3A0DB30EC40CB51
                                                                                                                                                                                                                                        Function 080B6AFC Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d6e6154119781261e16d2bb7b30a29fae7d39baab97dc50e239f2502fbd8238a
                                                                                                                                                                                                                                        • Instruction ID: 019396a2d2390903b86a13df9058018d5c2b12dc665229e2c0655394939f8af8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d6e6154119781261e16d2bb7b30a29fae7d39baab97dc50e239f2502fbd8238a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F41B274B08205CFC744DB5CD8506BEB7B2FBE9315F188469C526AB381CB3A9C828B91
                                                                                                                                                                                                                                        Function 080B7A46 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 07f53975a07c942190b16e4f74cc642ecd8fecd9d0a25b778604b338bcd772d6
                                                                                                                                                                                                                                        • Instruction ID: 0842d2dc1e169b26767f33ec264eb6b583828b58aa4e557ac59282f1f0d50f37
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 07f53975a07c942190b16e4f74cc642ecd8fecd9d0a25b778604b338bcd772d6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F41E67460D391CFD709577888286BDBFB3ABC6212F1085ABD942C7392DA744D01CBA2
                                                                                                                                                                                                                                        Function 07A1921A Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b85ca801722641222f00838fe547a02486f4b4bc4ef1a2ff78f00d04e1d71022
                                                                                                                                                                                                                                        • Instruction ID: 1aacd5d25975092d563b711cc9e90b968fd79972a0167db92e8619761c3d6bb2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b85ca801722641222f00838fe547a02486f4b4bc4ef1a2ff78f00d04e1d71022
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E73129767002409FEB15CB79C8959BFBBFAEFC5220F18809AE55687251C634F841C791
                                                                                                                                                                                                                                        Function 080B1198 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 625ee202522baa15b7fb745b98cfa49e3871db9e627d660b829c2ded6fb7ac12
                                                                                                                                                                                                                                        • Instruction ID: bcdf56ab034b2dd92cd48a746cdc3522edbf56aa2b80e9ab9e9d551d4ace1ecc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 625ee202522baa15b7fb745b98cfa49e3871db9e627d660b829c2ded6fb7ac12
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9D315A75E10219DFCB149FA8D85499DBBF6FFC8311F10866AE901AB360EB709851CB91
                                                                                                                                                                                                                                        Function 080B17E3 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f043a2fdf6585dea35e79bfde70464bd2a2d13d8734844f242ce141aa0a21395
                                                                                                                                                                                                                                        • Instruction ID: d7f5a02428a205769df877fac656b2256ac63b490300daf077d144d669512ecf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f043a2fdf6585dea35e79bfde70464bd2a2d13d8734844f242ce141aa0a21395
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FB31BC74A113059FDB258F68D469AAD7BF7BF89302F28807AE806D7391CA34C941CB91
                                                                                                                                                                                                                                        Function 080BC1A1 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1f1fec0e08f2702d83fbb18b5c479e84b6b3e603120aa11f4921e473679189df
                                                                                                                                                                                                                                        • Instruction ID: 403be1f95f16f5a7e1bd0603cf8401136e85fd38d3c0dbf35c68b3bab51e7c99
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1f1fec0e08f2702d83fbb18b5c479e84b6b3e603120aa11f4921e473679189df
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9731B170B0C155CFF7548BED88502FEB7A3AB46353F04857BDA22DB295C624CD518792
                                                                                                                                                                                                                                        Function 080B2D88 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b493a0a6e00de7cf17ea77470afbc867daad832b3c82b613a84eb011bf477ff7
                                                                                                                                                                                                                                        • Instruction ID: 04a44747864ee5e5ea607d81681e9c0095f63fc291f7a70e130593192d1c749b
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b493a0a6e00de7cf17ea77470afbc867daad832b3c82b613a84eb011bf477ff7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0F31AE71A01205AFCB54DF69D884BEEBBF2EF88311F10892EE4169B290DB74DD40CB90
                                                                                                                                                                                                                                        Function 07A1C4B8 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d323ecaa6b0a3d265aca21710db9e4df8717b81d07b03794b08f4de7415669cf
                                                                                                                                                                                                                                        • Instruction ID: 477cf89e0284bcf8aac9fd7173e3c45aa735dad661f5c6085bc0026abf922261
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d323ecaa6b0a3d265aca21710db9e4df8717b81d07b03794b08f4de7415669cf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BD316AB1A801098FDB10DFA8C954AEDB7F5EF49220F2441AAE515EB261DB31DE00DF60
                                                                                                                                                                                                                                        Function 080B22F0 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2197594148c6852d46674248d6023dca68ae6d7b41f5c665e2b991427611b333
                                                                                                                                                                                                                                        • Instruction ID: 8daf7634ad23de3db95270ba398baf24cc536dd804ee05c7778160269b1de988
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2197594148c6852d46674248d6023dca68ae6d7b41f5c665e2b991427611b333
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F0318B353042009FD784DFA9E8C1AAA77E7EBC9311F14856AE909CB365DF30AC428B61
                                                                                                                                                                                                                                        Function 07A17D50 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7049b841bf1f1292313bb186d950a4d1e26ff0274f4b5e351a3665a511bf6115
                                                                                                                                                                                                                                        • Instruction ID: d013e9785b86fdc265ea26ffbcc73eb937b1c060b3e1903c892de7a738fbb0df
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7049b841bf1f1292313bb186d950a4d1e26ff0274f4b5e351a3665a511bf6115
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2031ACB6610210CFD714DF28D898AA9BBF2FF8A710F1554A9E416DB3A1CB75DC01CB90
                                                                                                                                                                                                                                        Function 080BC308 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0c66ecde02fc7885eef498127ddc920ee426e8817887e2e0cd7ae67673af1f86
                                                                                                                                                                                                                                        • Instruction ID: e8842f416a0bf1f65dc249200edc97b7f1eaafdd736d0a4c30996ee2fb5fd0b2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0c66ecde02fc7885eef498127ddc920ee426e8817887e2e0cd7ae67673af1f86
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 1E21F631708140DFF7288A1D8812AFD77A3FBC1B22FA9842AD4078B391CF708D429756
                                                                                                                                                                                                                                        Function 07A1AB00 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ae97d70f458eea7bef01c9ca8816f7eb9a2069e12e27ebfa07a1e584cc658f1a
                                                                                                                                                                                                                                        • Instruction ID: a01301b9752d3ce83fcd92720e6678f148c0736380f02a9d6da0d78510f3cdc1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ae97d70f458eea7bef01c9ca8816f7eb9a2069e12e27ebfa07a1e584cc658f1a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9F317A71B012598FDB00DFA8C894AEEBBF6BF88710F14406AE415EB360DB759D00CBA1
                                                                                                                                                                                                                                        Function 080B6B51 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fbf82fe9539ecb6537b3fc042e82d99f355af1d002e47697e27884c15bd46e32
                                                                                                                                                                                                                                        • Instruction ID: 4df7793c20295058eb53a160fb3e22fcb8f1bbe88150440233bedc85cf45c4e0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fbf82fe9539ecb6537b3fc042e82d99f355af1d002e47697e27884c15bd46e32
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3E31AD74A08204CFD7449B58D8956BDB7F2FBE5316F14846AC526AF342CB36AC828B91
                                                                                                                                                                                                                                        Function 080B6568 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 82645ab48b5a76e8dbc183158b9963d523f3bf2da8360d41691ef201ae3253ed
                                                                                                                                                                                                                                        • Instruction ID: b7f94f0a54f24e937cb8a15b0e85fa10267d62ef660d9b40ec015b1aa2b4356e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 82645ab48b5a76e8dbc183158b9963d523f3bf2da8360d41691ef201ae3253ed
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A731F6B5E1020E9FCB40DFA8D8905EEBBF2FB48311F104469E526F7250EB359A558FA0
                                                                                                                                                                                                                                        Function 07A19728 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b65b468f1932098426dfe84f76b10cf5299b0fe79a9aa3014f16f5ec43566397
                                                                                                                                                                                                                                        • Instruction ID: d3a92628ce0d358f46556eb80e191f71d9c60df25cd37c4986db54dd34c96c4a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b65b468f1932098426dfe84f76b10cf5299b0fe79a9aa3014f16f5ec43566397
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3D21F8F1E12216CBEB15BF78C4941AABB71EF82300F50C96BD46A67284FB31D910CB91
                                                                                                                                                                                                                                        Function 080B6C11 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f113bcb945bd8d78318756b06585c051ab5f2d12dc6462399950ddefb8939279
                                                                                                                                                                                                                                        • Instruction ID: 28f03868567623909f8fb476cba6a00a3c4ef79fc1b18c8a1f16677b56000271
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f113bcb945bd8d78318756b06585c051ab5f2d12dc6462399950ddefb8939279
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EB318E34B04104CFC7449B5CD8956BEB7F2EBE5316F14856AC526AB342CB36AC828B95
                                                                                                                                                                                                                                        Function 07A19250 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b5f2f5723c563f58fcd54520b26791c58db57eca14ff2c262ab2c9556ef1b6a6
                                                                                                                                                                                                                                        • Instruction ID: 35986dda9af909ed8fb1e4f10284f12d7890e1e9603cb50450be349bbb5e29d9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b5f2f5723c563f58fcd54520b26791c58db57eca14ff2c262ab2c9556ef1b6a6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3421D4B67106104FEB24CB65C89657F77E6EBC4210F28806AD55693794CA34FD81C761
                                                                                                                                                                                                                                        Function 080B0FC0 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2ed90fd636c31ba29956dfed9d79bb1edca805d52713cb5df22cbf1c9b3a03f8
                                                                                                                                                                                                                                        • Instruction ID: cc503bf2b915e6d7b5a84b8c007a150ef1ac217579bf7e3fc7e95acfe10d9d09
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2ed90fd636c31ba29956dfed9d79bb1edca805d52713cb5df22cbf1c9b3a03f8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE315735910609DFCB05EFA8C8548EDBBB5FF49300F018659E5157B225FB70AD49CB91
                                                                                                                                                                                                                                        Function 080BC4E0 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8fad25ef1e6a20c05ece95c773663b0769dacbcf1cffa453e6725e9000a9a763
                                                                                                                                                                                                                                        • Instruction ID: b4e03686e6ad5f4b0e4cec80c6bde6632febd828dc434db16ba51f7c33648a9f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8fad25ef1e6a20c05ece95c773663b0769dacbcf1cffa453e6725e9000a9a763
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7B217172A18554CFF7408A6CC8406FEB762EB6A313F044677E552C7291C774EDC08B56
                                                                                                                                                                                                                                        Function 080B0FD0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: c93ab9b9507f44670083f5845e8ce7ad776b45e264daf8ff74daa0185a40ba9c
                                                                                                                                                                                                                                        • Instruction ID: d6fb4ec38f2328e3ea2251220b1b85c8bd3a322567d18d64ff1538ef1ba809d7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c93ab9b9507f44670083f5845e8ce7ad776b45e264daf8ff74daa0185a40ba9c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2331FE35A10609DFCB04EFA8C8948EDBBB5FF89310F018659E5156B224FB70AD89CB91
                                                                                                                                                                                                                                        Function 07A1E728 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: db224c96a64acd505cbd97ec088efdd739d737848e8bf465da1bf0303b6d780e
                                                                                                                                                                                                                                        • Instruction ID: 3195524541785cc338e4bf7d77dd8ee0934338c0f123b3fa332d37ec2f3a5e5d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db224c96a64acd505cbd97ec088efdd739d737848e8bf465da1bf0303b6d780e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E9217F71F046198FEB11EFB8C9446BDB7B4EF88311F00826AE929E7250EB709945CB91
                                                                                                                                                                                                                                        Function 080B29E0 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5bf6b0df3bbaef559d532de5afb007a886d665759be1d9a3bc881253d7ea601e
                                                                                                                                                                                                                                        • Instruction ID: 0c26f915d0e41e9d20fd13126515d39c431365eba84ac4ac0bcf4393a1f58db0
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5bf6b0df3bbaef559d532de5afb007a886d665759be1d9a3bc881253d7ea601e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2D21B335710115CFEB20DFA8E949BAEBBF6FB49352F044029E919DB240DB34D911CB91
                                                                                                                                                                                                                                        Function 07A1A338 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 290705abe77e11bdc317c4735e994e694024fe14984b120473e9bb7fd76fc105
                                                                                                                                                                                                                                        • Instruction ID: c6d0f0ad260455300b5999b0041d9f6fa266c20be96006889c8eea4c85329e51
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 290705abe77e11bdc317c4735e994e694024fe14984b120473e9bb7fd76fc105
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4B21D4B03023018BD729AB3998986367BFBAFC5250B54497DC962CB790EF35DC01C750
                                                                                                                                                                                                                                        Function 0153D658 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1729098088.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_153d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f9520aa8ae6fc341e95461f13e1c49ec9bb26b9d9ca6bba023336ca4a6bfcf2f
                                                                                                                                                                                                                                        • Instruction ID: e4f14a0f3fd2a3e8ddc9d219a761e73a60f7db483d5b1e82e65f0365b2975aa7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f9520aa8ae6fc341e95461f13e1c49ec9bb26b9d9ca6bba023336ca4a6bfcf2f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A52133B1504240DFCB16DF98D9C0B2ABFB5FBD8314F608569E90A0F256C336D416DAA1
                                                                                                                                                                                                                                        Function 080B0290 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 566c7c11f284040a381f36357a6674ca23986852cc7578a8ad01259d39406cf6
                                                                                                                                                                                                                                        • Instruction ID: f3b268e1405ffa82e98514202aa0c2df6f893688d0b438d197feafd05ed58412
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 566c7c11f284040a381f36357a6674ca23986852cc7578a8ad01259d39406cf6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27216D75B002058FCB44EF69C8858EFBBBAFF89600B408569E905E7351EB70A905CBA1
                                                                                                                                                                                                                                        Function 080B6559 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 45f61685cf25463da0ac9407549aa25bc7660fd93b2dbca1c7e41a8da92feac2
                                                                                                                                                                                                                                        • Instruction ID: 6c6892dba032eb1391ede7f51877fb05930a7a671420e166895e254488cd3d98
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 45f61685cf25463da0ac9407549aa25bc7660fd93b2dbca1c7e41a8da92feac2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 54210AB4E0024A9FCB40DFA8D8916EEBBF2BB48310F10456AE511F7250EB359A55CFA1
                                                                                                                                                                                                                                        Function 0154D1B4 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1729159575.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_154d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fd0280e2c69a6b0bc23898290ee31beae01a5e41db78041c85dfe7b840dc6db6
                                                                                                                                                                                                                                        • Instruction ID: 21b14d32965c52644eacfa4abce2b4a928f1ad9e7693272797b4cddca44a4f39
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fd0280e2c69a6b0bc23898290ee31beae01a5e41db78041c85dfe7b840dc6db6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F021F2B1608204AFDB05DF98C5C0B2ABBB5FB94328F24C96DE90A4F252C336D446CA61
                                                                                                                                                                                                                                        Function 0154D36C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1729159575.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_154d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 0832d095a1b0285fdecb840a40c123a2e0361570eeaf99271f2f9b1a08247ba5
                                                                                                                                                                                                                                        • Instruction ID: 87aa947b71a9d1f959745bc41c640e2c995bfcbbef1ca49089e58585e05a4c41
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 0832d095a1b0285fdecb840a40c123a2e0361570eeaf99271f2f9b1a08247ba5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 042134B1604200DFCB05CF98D5C4B2ABBB5FB94318F24C96DE9094F296C376D846CA61
                                                                                                                                                                                                                                        Function 07A13468 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1d72dd3db72332c7dc9fe78b5bb72ea4761dc642fcea0bc7b7f484cdf926dcd9
                                                                                                                                                                                                                                        • Instruction ID: a050709298ec67a0ee04d28d729f304113f546384860d367a30f7cc96e845826
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d72dd3db72332c7dc9fe78b5bb72ea4761dc642fcea0bc7b7f484cdf926dcd9
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 03215CB5A00206CFDF10DFA8C894A5E7FB6AB89321F158065E915DB361D771EC81CB61
                                                                                                                                                                                                                                        Function 080B02A0 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d5e7b72311ae5bf2ca1564dab436869be4df006d656bf997008cd718c171ff86
                                                                                                                                                                                                                                        • Instruction ID: 7973646555f3f8c1ca1fdba61662ec9cc5b76e5c0d93e26c2171c807d65ac890
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d5e7b72311ae5bf2ca1564dab436869be4df006d656bf997008cd718c171ff86
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BE213075E0020A8FCF44EF69C8848EEB7B9FF88700B508569D915B7351EB70A945CBA0
                                                                                                                                                                                                                                        Function 080BC536 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 373e87cd991f9300aa8ab8a7a7fe9694ff3d65501fd916180c7155ff771899fc
                                                                                                                                                                                                                                        • Instruction ID: 22b74451922bc31eece5b9ec40f808a69436381ba1416ee65d07c15d75c4325f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 373e87cd991f9300aa8ab8a7a7fe9694ff3d65501fd916180c7155ff771899fc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17215C71E18515CBF7508A6DC8406FEB3A2EB69323F004637E156CB7A0C774EED08A96
                                                                                                                                                                                                                                        Function 07A1E330 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 434b547c4553403259aaa610a9a73f0941c8bb9ce46f56d7707e0d99d7ef50b1
                                                                                                                                                                                                                                        • Instruction ID: 00764c0d9623662900d52917db315ece5bbe36ad680bb15cb43357129f5d7bdd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 434b547c4553403259aaa610a9a73f0941c8bb9ce46f56d7707e0d99d7ef50b1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7C1136343083918FC716973CD8685AE3BE99FC6620B5840EBE549CB3A2CE20CC0397A1
                                                                                                                                                                                                                                        Function 07A1C310 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: aa49822507e4a0b337f511da470cd35e143eddada7ae3f6cc2ae436c433b41c8
                                                                                                                                                                                                                                        • Instruction ID: e6aa8794aedea2927c87a1cc9037970cc45652e31cc6ee6d5bcaad90573a8a65
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: aa49822507e4a0b337f511da470cd35e143eddada7ae3f6cc2ae436c433b41c8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C6215E70910609CFDB15EF68C9946EEBBB1FF8A300F14852DD456BB250EB319948CBA2
                                                                                                                                                                                                                                        Function 07A19718 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 649a3b8c489cb1b3410afde664b772ef562e95bf7fc08b6b85e03172694e5eef
                                                                                                                                                                                                                                        • Instruction ID: bc5dc0fa23fb8abde1e7caea2110c421941d448f64191f73bb94017f9acafbc5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 649a3b8c489cb1b3410afde664b772ef562e95bf7fc08b6b85e03172694e5eef
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 431194F2F06116EFDB116B55D9445EEBFB4EB81350F60CC65D0A9F21C4E6318A308B95
                                                                                                                                                                                                                                        Function 080BF320 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 72b66e29c2be38fbf61f98e1c2d19acec92d0c55c2e3640e5d4291ce04949847
                                                                                                                                                                                                                                        • Instruction ID: 905b01a42aca09f7d77dd70f1cc2c218cfd5cb84a9badd427e2def1864ec23f6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 72b66e29c2be38fbf61f98e1c2d19acec92d0c55c2e3640e5d4291ce04949847
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C4216D7490021A8BCF04DBE8C9416EEB7BAFFC9311F108A25D4197B341DB746E46CBA1
                                                                                                                                                                                                                                        Function 080B29D0 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 749a03e63562f815a7514d093bcbb25f9307ffd667eabdf37a1870095f08f49d
                                                                                                                                                                                                                                        • Instruction ID: 94e3c6ed7eaf7460574b8c02d440cae9cdb41c90d7ccd25e5a53a3cdb78498be
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 749a03e63562f815a7514d093bcbb25f9307ffd667eabdf37a1870095f08f49d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51119374701201DFDB20DBA8E989BAABBF6FB49341F044169E815CB381DB34DD15CBA1
                                                                                                                                                                                                                                        Function 080B3FC8 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: bd1bcb23d46f76da988e283726c59af9bef6c49de867965cb3006ff4e322f3ba
                                                                                                                                                                                                                                        • Instruction ID: f064a1950a1a2f31088337de29204726cf7ab76a959506cb815577252d026d9a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bd1bcb23d46f76da988e283726c59af9bef6c49de867965cb3006ff4e322f3ba
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B711C231B082149BC754ABBE985159FBFFBDF85650F15446BE609C7781EE30AC0683E1
                                                                                                                                                                                                                                        Function 080B22EA Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 183c00cef34f260da944983896b92f464a7be020b9d4a840d4d2e73c42507435
                                                                                                                                                                                                                                        • Instruction ID: 2a3cabfcac03982835e1f1118de6c9ce317387995a87a6dd3ddf8bb296ee6be5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 183c00cef34f260da944983896b92f464a7be020b9d4a840d4d2e73c42507435
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 491186743002019FE754DFA9E8C2BAA7BE7EBC9311F14853AE809CB355DF3098428B61
                                                                                                                                                                                                                                        Function 07A1B1E0 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f42c3f02c9f04ba3e34d92c5b85bf889d10828cd6eccd506977b58f7e797ccf7
                                                                                                                                                                                                                                        • Instruction ID: 4dc9466c8902e2318260175088ed216614d5036eb3f96ba3a781430bc4ffa7a4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f42c3f02c9f04ba3e34d92c5b85bf889d10828cd6eccd506977b58f7e797ccf7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 211181F1E0124A8FEB11DFA9C9506AFB7F9AFC9240F1405A9C529E7240EB349905CB72
                                                                                                                                                                                                                                        Function 0153D653 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1729098088.000000000153D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0153D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_153d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                        • Instruction ID: 49be4baa9d9a7a37988842cbd2bafba9e6083374fc0263bae0881b90e56ab96c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DF11BE76504280CFDB16CF54D9C4B1ABF72FB84324F2486A9D9094F657C33AD45ACBA2
                                                                                                                                                                                                                                        Function 07A1ADF1 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8bd4b8d75a6ca7795bf034fcd778122cfb1f7f94e943959433354e22661371b0
                                                                                                                                                                                                                                        • Instruction ID: b3a4b71e87223d1f4cea6c8e0c1f0f11e419f908601ee52bf7d92318b163f311
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8bd4b8d75a6ca7795bf034fcd778122cfb1f7f94e943959433354e22661371b0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E901F5F2E0A2A2EFD7036725D9540E57FF59B83240B19C8A7D0A9E72D2E12149088791
                                                                                                                                                                                                                                        Function 07A1C432 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4a11439348c997b16a94c73968e8d9bde9e8d5b9edf79275f43102344e7d7c79
                                                                                                                                                                                                                                        • Instruction ID: 009806495ccee67ecab4122df468c2a34fa5ac62d9d971b688158cce6eef7548
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4a11439348c997b16a94c73968e8d9bde9e8d5b9edf79275f43102344e7d7c79
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EE01B1723191608FD304DB6DCC948AABBEAEF8A62031840AAF511CB371CA31DC00CBA1
                                                                                                                                                                                                                                        Function 07A1F010 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: fe9960aa7a8528733c7a535f7571a9d51bfbadc7aad401a84fe8856f31ebf228
                                                                                                                                                                                                                                        • Instruction ID: 1a8afbdbb34b8d89d6cbff9592cb79ec28338aec64ce4040d0a06babed660c13
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: fe9960aa7a8528733c7a535f7571a9d51bfbadc7aad401a84fe8856f31ebf228
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7911C1B0E0124A9FEB00DBB8C9417EEBBF1EF4A254F144169D821AB380E7759545CB81
                                                                                                                                                                                                                                        Function 0154D367 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1729159575.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_154d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                                                                                                        • Instruction ID: 4d1af27d0d9c6ed5e1440ca26c8c0fc73bf335cb5ea5fa80a667a81f42ec80ca
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: CE11BB75504280CFDB06CF58D5C4B19BBB2FB84318F24C6AAD8094F696C37AE44ACB62
                                                                                                                                                                                                                                        Function 0154D1AF Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1729159575.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_154d000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                                                                                                        • Instruction ID: 3e00b18c8a319f92c3bc323198efc6c33ed367b4bc037d4e56002f813e9fc5ac
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 244c614e04a80719a4cbb1e35d09afbc7f52f2045db6f081cea45e42cbbeead8
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6D119D75508280DFDB16CF54D5C4B19BFB2FB84328F24C6AAD8494F656C33AD44ACBA1
                                                                                                                                                                                                                                        Function 07A19708 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a6daac8fb5b303e62b2c597a8f117eeed2fa81af8b0a006bab8c43883b47124c
                                                                                                                                                                                                                                        • Instruction ID: ed66f4b6624b319dedeed292d532bcf5b89edcec271159d2e2f88ca343e8f7fd
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a6daac8fb5b303e62b2c597a8f117eeed2fa81af8b0a006bab8c43883b47124c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DA018B753141208FD314DB6EC89886EBBEAEFCA62031444BAF512CB370CA71DC00CBA1
                                                                                                                                                                                                                                        Function 07A1E1E8 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: abee553aa6f538ee99248e93cc2581f9d3c2a1d3bff78dc12695f33bfdc87cfa
                                                                                                                                                                                                                                        • Instruction ID: 07bd79d9cb57023023abcf530239abbe84ca985a911e3ee51c8427ee96a05989
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: abee553aa6f538ee99248e93cc2581f9d3c2a1d3bff78dc12695f33bfdc87cfa
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: AF01283291031A9FCB01EB78DC104DABB7AFFD9310B11876AE4406B151EB30A599CBE0
                                                                                                                                                                                                                                        Function 080B4DD0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ecb044c2802e396713e767da3e92747dfbf8facb175020ecc6c4370966a63b38
                                                                                                                                                                                                                                        • Instruction ID: cda068496ae8074a05ba4a6fdfcc3339364476c9951db05a7572d320466691b3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ecb044c2802e396713e767da3e92747dfbf8facb175020ecc6c4370966a63b38
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0D018136205255AFCB464F64AC848AFBFB6FBC8220700802BFD05C3351CB318D22DB90
                                                                                                                                                                                                                                        Function 07A1F020 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8279ec4f47ab9efb9369f8999d9070cdfe63b7642870c0233e3753f61254077e
                                                                                                                                                                                                                                        • Instruction ID: 00da68e92db32c60a63dfa4afba9d0dd0cb73144b097c53e7aeab49cc2ff03c5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8279ec4f47ab9efb9369f8999d9070cdfe63b7642870c0233e3753f61254077e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 010192B0E0120ADFEB04DF68C9117AEB7B1EF49314F108529D925F7390EB759945CB81
                                                                                                                                                                                                                                        Function 07A1B800 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e7f37bea8a3e8e64de377930d7fd95c1d59071d00a205f8b56742a2a8844d6ef
                                                                                                                                                                                                                                        • Instruction ID: 81d5bdec856fb68ff463723827c6e6ad6b0c6014c921aacbb9f8062deb43be4f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7f37bea8a3e8e64de377930d7fd95c1d59071d00a205f8b56742a2a8844d6ef
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5FF046B1A0010AE7DB04AB7880613EEBBA7EFC4A00F14046FC1426B741CF744D0987E1
                                                                                                                                                                                                                                        Function 080B2800 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1195f7c4703f1dac179d5cbd6f9a1cd1f0e228025fb6b2ff8bc5472f14c45468
                                                                                                                                                                                                                                        • Instruction ID: 37e12707897289504f1a8eb7e392307f4a99f81f96ee77e80ff6caf9aab96a03
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1195f7c4703f1dac179d5cbd6f9a1cd1f0e228025fb6b2ff8bc5472f14c45468
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 9FF09636305200AFC3155F69E844AD67FA6EBC9721F14C07BF589CB241CB35C955DBA0
                                                                                                                                                                                                                                        Function 080B7D58 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1e4b43824a33e3f274b1719b9014d14ac372ca7f7e6efd979b90edb10de9394c
                                                                                                                                                                                                                                        • Instruction ID: b3358e5ec42ea8e788a09ed22469db49ce80804bfe1894f854a951b4fe1ebb80
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1e4b43824a33e3f274b1719b9014d14ac372ca7f7e6efd979b90edb10de9394c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A901923094D3C88FC7819A6884145E9BFB39F82346F04C0AED5515F682CB7A9897CB62
                                                                                                                                                                                                                                        Function 07A111A7 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 00127c599cb37752b55334b017265ac3862d7f874f4c57ac882045e7e319a87c
                                                                                                                                                                                                                                        • Instruction ID: 073a37a116848a0545e01ba9eceb59165137d69744b865aa70f0c702c2c49a5d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 00127c599cb37752b55334b017265ac3862d7f874f4c57ac882045e7e319a87c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 4FF022B4E0110EDBCB00CFACE640BADF3B5EB85340F108A6ADD28A7200E6305E409B81
                                                                                                                                                                                                                                        Function 07A1E1F8 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9be306bce301b696f74f41efc2d3e1de39002e68598280a9137b3a61ea235f79
                                                                                                                                                                                                                                        • Instruction ID: ea86c50839e966ce42539547836b0c80b083e64080cfd566f432eb457e09262a
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9be306bce301b696f74f41efc2d3e1de39002e68598280a9137b3a61ea235f79
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5E01D13291060A9BCF00EFB8DC448DAFB7AFFD9314F008729E44527210EB70A595CB90
                                                                                                                                                                                                                                        Function 07A1EF80 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3ebf0f4c690b09b83b586cab642f845ef215e30f0b03aa70820871b5f23969a7
                                                                                                                                                                                                                                        • Instruction ID: 894f4836d70b9abca9ed797050d8c38dd40682710928a8dd8b4374d20b8e53a1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3ebf0f4c690b09b83b586cab642f845ef215e30f0b03aa70820871b5f23969a7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FAF0B4723242148FD704DB2DD854D997BE99F8AA6131A00EAF509CF3B2CA20DC01C790
                                                                                                                                                                                                                                        Function 07A19790 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 282b2d1cf9ef659cd64d019679e06a76e15067908c57f99ec89052681d9e86e3
                                                                                                                                                                                                                                        • Instruction ID: daf7c2c51f845d8da6597015c88d226189e886c537cc2501ad70f4bc56eec9e7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 282b2d1cf9ef659cd64d019679e06a76e15067908c57f99ec89052681d9e86e3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0EF0F6F0B10109D7D708BA6880642AE76B6EFC5700F44082FC5526B780DE755D0987E6
                                                                                                                                                                                                                                        Function 07A19328 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7d4129501328b907656b0313b658f9fa715e8aeef593aed5b9cf927d8a6e537d
                                                                                                                                                                                                                                        • Instruction ID: 59a2ae3e640f0e3dc7456ea277a14d980652b268a22b00645d6eb3d62f2fe909
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7d4129501328b907656b0313b658f9fa715e8aeef593aed5b9cf927d8a6e537d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9F0AF71A146149FCB10EB69D888C9EFBB8FFC9210B04416AE61557360DA30A915CBE1
                                                                                                                                                                                                                                        Function 080B8F1C Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8d125733d2d3ba37833e528ef03b9dedd8f706c47e02e850795ba71bb3be7834
                                                                                                                                                                                                                                        • Instruction ID: 709aaadf45f0eb63544a2f75e5aa51b3232debc2ee821bf98c7ac5d366f20aaf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8d125733d2d3ba37833e528ef03b9dedd8f706c47e02e850795ba71bb3be7834
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 84F0B49190D285EFD72156AC5C650FA3FAFA94728374484F7E957CB5B3E521440093B3
                                                                                                                                                                                                                                        Function 07A1E2D0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 22835a8f2e4de9b5379c63b14880848f68610d8eb1c1cdbc96ff63a0da5619fd
                                                                                                                                                                                                                                        • Instruction ID: e52afaadb643106091d002e06b0521c4995c502a25146dd2735c2cc3c36c95d8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22835a8f2e4de9b5379c63b14880848f68610d8eb1c1cdbc96ff63a0da5619fd
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 60F054343502104FC694A76DD858A7E73EA9FC9A11B5440BAE609CB370CF70DC028790
                                                                                                                                                                                                                                        Function 080B4DE0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e28036b0b97641fdc671de6871ccb5d668ff3ae02ff819c7be9289a582aa597c
                                                                                                                                                                                                                                        • Instruction ID: e463d2aebd6361aa7b92a382176d31a57b28791265f26fc4fd2f54cdc932da80
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e28036b0b97641fdc671de6871ccb5d668ff3ae02ff819c7be9289a582aa597c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 99F01D36700219AF9B059F95E8448AEBFAAFBCC220710802AFE19C3350DB718C219B90
                                                                                                                                                                                                                                        Function 07A1E2CF Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 3df12d9d4d5adfbfc727b71fd7a445d0a789f7e04eaed60ec9b47df14ef6b47a
                                                                                                                                                                                                                                        • Instruction ID: 9aec01b9b4d5c6d763dc5e9c8960166ae1e63cdf33664bcf434f57e49664b491
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 3df12d9d4d5adfbfc727b71fd7a445d0a789f7e04eaed60ec9b47df14ef6b47a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0F054787501108FC794E76CD858A7D33EA9FC9A11B1840B6E609DB370CF70DC028790
                                                                                                                                                                                                                                        Function 07A1AAB7 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 66218695aaf96c07ad708b5eb0c1a3015e4e68f4ed73a27fae8600c55b3a412f
                                                                                                                                                                                                                                        • Instruction ID: 6eba830f770686993fde7616e8bd71843c5ab506905351cb9e57034c194005d1
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 66218695aaf96c07ad708b5eb0c1a3015e4e68f4ed73a27fae8600c55b3a412f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DFE09B713066515BE71A572955144AF7BA58DC6550308806BE42BC7281DE109D05C7D6
                                                                                                                                                                                                                                        Function 080BAEEA Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 445211ab87f197e00984c8f996c262028e849efc2b3b27b9ffef625cf1b600a0
                                                                                                                                                                                                                                        • Instruction ID: 82777a9e19a1da952e55e74928dac949aeb9c6cad10dd981155a2026aca04adc
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 445211ab87f197e00984c8f996c262028e849efc2b3b27b9ffef625cf1b600a0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6FF0BE30A46345EFDF019BB4CC5E9EEBBB2BF96301F00C256E622662D1C7349856CB91
                                                                                                                                                                                                                                        Function 080B20C8 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6cacf2688ded682c95b37ac9f1f3519aba4144d796b40e35a702115cbf9f249a
                                                                                                                                                                                                                                        • Instruction ID: 1cca3f49bc41bb9df645d22bcafee05513ba0f164cabc6a9ee4f5ad22535d1cb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6cacf2688ded682c95b37ac9f1f3519aba4144d796b40e35a702115cbf9f249a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 33E0D856D562500FC3110BB26E9B3F63FA6DD4251630D1857E485CA283D92CC457D750
                                                                                                                                                                                                                                        Function 07A19770 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ce94b71aeff1e49208ded5de8da9fda7fb54da8a003395d345bc28834de0e469
                                                                                                                                                                                                                                        • Instruction ID: 4e382b33d92b954dc9a66b2ae021495c4d03bdad304c3ffdb38eae07565a4831
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ce94b71aeff1e49208ded5de8da9fda7fb54da8a003395d345bc28834de0e469
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B4F0377020A341DFC3199B3D94548267BE5DF4621070598AED4558B6A1C935D851CB52
                                                                                                                                                                                                                                        Function 07A1B3B9 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7b750e8c4d90174456ef9b70871f66ea3093c5e89907d50f5118fe90ad176d0e
                                                                                                                                                                                                                                        • Instruction ID: 3baa6d158dc7306991583161ecd32656a25134061340283db2b0220bf06d780c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7b750e8c4d90174456ef9b70871f66ea3093c5e89907d50f5118fe90ad176d0e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 63E0D8B4206350DFC31A9F28D8804937BF6EE4762130582AFD0558BA71C635EC80CBA1
                                                                                                                                                                                                                                        Function 07A1E278 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 24191b9ac94bd70a2cc058a95a06f1acaa84f5e0167527a25a73197f9c5b7523
                                                                                                                                                                                                                                        • Instruction ID: f4b1f6b2e2765a434d6beb8db438ff2b8bd2185c5599b0f1b23d3b707de54332
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 24191b9ac94bd70a2cc058a95a06f1acaa84f5e0167527a25a73197f9c5b7523
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 65E092B1B026210B9B08EB7EA40486AF7EBEFC8514304C47ED50D8B764EE319C4186C8
                                                                                                                                                                                                                                        Function 07A1EF90 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: da8482a7116df56cc5f91501e01f16538681c7325bbeea458c631b7031fd4c06
                                                                                                                                                                                                                                        • Instruction ID: 262b822eb1f37a026f31fada84acb879df1455558d33f157381e72f9874136b9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: da8482a7116df56cc5f91501e01f16538681c7325bbeea458c631b7031fd4c06
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 56F0ED353604158FC718DB2DD844D5977E9EFC9A6131640BAF50ACB372DE61DC02CB90
                                                                                                                                                                                                                                        Function 07A13459 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6d2e3df7ce8de23746f886b98e0b1eb798293e47f20d48b60d8393aeb748c05a
                                                                                                                                                                                                                                        • Instruction ID: b10d4ebd5957c2747c08df32090a6c84f96c3c85695dd1546029894c76821089
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d2e3df7ce8de23746f886b98e0b1eb798293e47f20d48b60d8393aeb748c05a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18E0D87265030AABDF215AE1DC497967FA8DB94272F008031FA16C1141E6F5C054C161
                                                                                                                                                                                                                                        Function 07A111F8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5d8ca57a5bfa08a70cbdf00969fb48c2c218445428ecb08a739ae37864ca129b
                                                                                                                                                                                                                                        • Instruction ID: 50ccf8ec05f38b703f3b373eee5cd89fe65540c625d80dbdedd5972ba7a317ce
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d8ca57a5bfa08a70cbdf00969fb48c2c218445428ecb08a739ae37864ca129b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 27E0D8B0A4520DDBDF14DFA4F946B9DB774EB82325F1042E8EC0863214DB715E40EB85
                                                                                                                                                                                                                                        Function 07A1EFD1 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e7d85a55034488af1a4b5453a00be188857fde9772489f191352971140be4cd6
                                                                                                                                                                                                                                        • Instruction ID: e346e8420fc3eb9b09f6ba262154e3055b621adeef5637ce1189503e57d842b2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e7d85a55034488af1a4b5453a00be188857fde9772489f191352971140be4cd6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0DE0867714E3A04FE6118624AC617CA3B91DF92105F1E85D7E091DF096C41A5A859262
                                                                                                                                                                                                                                        Function 080B7D51 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5d99518de251201b4d931d8feaaddf91f435e247d8432fa79c4784dae4e2eae3
                                                                                                                                                                                                                                        • Instruction ID: e12bac4bfe558a4a2b86148a4053f5d39c75dd4e4e1580d34896bdb1fbf09e01
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d99518de251201b4d931d8feaaddf91f435e247d8432fa79c4784dae4e2eae3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EEF0E53099D2C89FD384566890052B97BB3A7D330BF24C1ADC5580E182CB3FC443C761
                                                                                                                                                                                                                                        Function 080B9D82 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 107315a700e44fa954b0483da97aae76ebd608d00a12250a3ee13a2cc9de23c0
                                                                                                                                                                                                                                        • Instruction ID: 4b57e01645c256bcab385c2787050446d54490c58a9fcb627d06972bc7d6abc4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 107315a700e44fa954b0483da97aae76ebd608d00a12250a3ee13a2cc9de23c0
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18E0866161C1C4C3CA08317F88485FD7F53A7C5323B118566EB47466C7F9229803C5A2
                                                                                                                                                                                                                                        Function 07A1E268 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5a85cb53af137cf36d951155dfad8f3faa48d4f64164df28fd8247ef42ba7150
                                                                                                                                                                                                                                        • Instruction ID: 271e3351452b453136e71729b9c7678dcf10c2ba8071c3527d007866e596b459
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5a85cb53af137cf36d951155dfad8f3faa48d4f64164df28fd8247ef42ba7150
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 25E020B13097B51FD71AD73A5820876BBEB6EC7500318D1DED8458F296DD215C41C7C4
                                                                                                                                                                                                                                        Function 080BC0C8 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 8e77be2a5bbb06ae344126d3025c09fa19315e5b33b9fd013166d61446c4c461
                                                                                                                                                                                                                                        • Instruction ID: 798165f301fe5ad486542fce04098152ae33d2607ed9bb0c5d3eab98a3071f21
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8e77be2a5bbb06ae344126d3025c09fa19315e5b33b9fd013166d61446c4c461
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 72E02B70A1D288DFD3308A6CA8116E93FAB9B46302F00C8CBDD07EB542C92048004763
                                                                                                                                                                                                                                        Function 080B2AC7 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 70e16683673561c4f2aef60cca1cf642f9680e0c7b7cacdc5442cd5024ad2252
                                                                                                                                                                                                                                        • Instruction ID: e6c1ca9cddbb17fa0fa5b97e31b6ee64cc4788e3ea98480e35c18ee4a5eb5b72
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 70e16683673561c4f2aef60cca1cf642f9680e0c7b7cacdc5442cd5024ad2252
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F9E06D75700701ABC314CE6AD886ACBF7E6FF88360744C92AE85DC3601DA34D815CB90
                                                                                                                                                                                                                                        Function 07A1AAC8 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6a4782683559949cd97e881ad82f5e7dca6f0c7759336e44fd3549857084cb7b
                                                                                                                                                                                                                                        • Instruction ID: e5ffd04a14f6246db65ed37286d3a046da2a4c9f4d8ed279ae28dabaf866db51
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6a4782683559949cd97e881ad82f5e7dca6f0c7759336e44fd3549857084cb7b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 51D01271312516976B19566AA51887F76999BC5661704803EE42BC3240DF60DC0187E2
                                                                                                                                                                                                                                        Function 080B0DE8 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f6ad8a4437c4ad8ddc80770d6d3be2d73f57d3a88b8041163025a80fc21205a2
                                                                                                                                                                                                                                        • Instruction ID: 5be81164af2c48872497f71f80c06643842e16a34c3fa4e58eed548092092ee4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f6ad8a4437c4ad8ddc80770d6d3be2d73f57d3a88b8041163025a80fc21205a2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3CE0127295060CDECB80AE34C9463DA77E1BB01311F00C52AE86DDB110E734C199DB81
                                                                                                                                                                                                                                        Function 07A1DE54 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 4937a31015f43573b0b081cadb027ae01f237225ad27c21c2ae246f77516190a
                                                                                                                                                                                                                                        • Instruction ID: 7262c80734cdb17253046c6acd4b52ab388a690210a19aaba9daf4eb23a8a399
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 4937a31015f43573b0b081cadb027ae01f237225ad27c21c2ae246f77516190a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 3DD0957724902047F510D518FCD1BDD3351FFC5300F59CD55F461D7144C81AE4828512
                                                                                                                                                                                                                                        Function 080B7D20 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: e76d2811268e64c8933bf0197ea5e8cab51bb5b3076a6f3ca232867e3ae758c2
                                                                                                                                                                                                                                        • Instruction ID: 245ad9a478da150184a308baadb287bbe18da019aff1d5c565cd9112eeb5993f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: e76d2811268e64c8933bf0197ea5e8cab51bb5b3076a6f3ca232867e3ae758c2
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D1E0ED6499D2D88FC3914A2495141B47EB39BD334BF68C0AED0584E947CA7F8443C652
                                                                                                                                                                                                                                        Function 080B8140 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 192bcc167cbccc8f7f3b2b96d5466c919e4a77cff25b1150cad0d5271cbb8bca
                                                                                                                                                                                                                                        • Instruction ID: 86561f063e9c0b5d3a2fd0e86553986fe8a67c61a0aab46e613992cf2d2fdf8c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 192bcc167cbccc8f7f3b2b96d5466c919e4a77cff25b1150cad0d5271cbb8bca
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: C9E09B346096418FD341DBA8C41415A77A1EF45201F04C4A7D4554B2A2C6349C4AC751
                                                                                                                                                                                                                                        Function 080BB39E Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a45a59b0b7a7a55ba2c8995976faeb433baa78b92d91f679e0ee4145463c31fc
                                                                                                                                                                                                                                        • Instruction ID: 2fc0ff77a9a28dc26310611c143332c5eeeb8606b5604ed693883b561ce06465
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a45a59b0b7a7a55ba2c8995976faeb433baa78b92d91f679e0ee4145463c31fc
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D0E09224A04105CFC740DB9CC82569D77B2FF88231F00852AD129AB391D739D9028B62
                                                                                                                                                                                                                                        Function 07A111B8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 80765c4028af485cb38e6be25d43b8d167a0231cec92e6d1088f55d8e47ee37f
                                                                                                                                                                                                                                        • Instruction ID: 0e35cc146c1d5cbce4248626771d8b03326deddb0380adff32d3889b2220b135
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 80765c4028af485cb38e6be25d43b8d167a0231cec92e6d1088f55d8e47ee37f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 12E086B0901209DBC744EFB8E544A5DB7F5EB85304F11456CD90597214DB715E80EB41
                                                                                                                                                                                                                                        Function 080BB8F8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 9a6ed71676f0ebfe225c8ebd1ac461231a59ff6786c2763d84c5252bc7a2af8c
                                                                                                                                                                                                                                        • Instruction ID: f6ae9c6792a8f86e82797ce8a4e680b404f6b9edd97c2071a7682a81ea38fdf9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 9a6ed71676f0ebfe225c8ebd1ac461231a59ff6786c2763d84c5252bc7a2af8c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: ECD05E60B0F10CFB4614BA9D64741FD77ABA7482337804846D80B93300E961591097B3
                                                                                                                                                                                                                                        Function 080B9D88 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cf392eb95a78dbadc22d1a048745d56c65531bd6c950bad8acb37d73f0bbdd79
                                                                                                                                                                                                                                        • Instruction ID: 4ea61ac50836de87b44dae7452cd564cc8cb60090da23dca0ad2371e062b2af2
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf392eb95a78dbadc22d1a048745d56c65531bd6c950bad8acb37d73f0bbdd79
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B9D0C76434C1C4C7C54C357F58186FD7DA75BC4313B10C566D74BC6787F922981186A6
                                                                                                                                                                                                                                        Function 080BAE9B Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ad83c4670f5f86b6f475141fc688855ea3310e44532507d63c1dc7fd13f687e3
                                                                                                                                                                                                                                        • Instruction ID: e52c60f2bb9d77513b118ee1c7fe3e86d71c1fd0a751f7193cb0e71d4dcd5c5f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ad83c4670f5f86b6f475141fc688855ea3310e44532507d63c1dc7fd13f687e3
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F5E01A71D096858FC705CF78C8A52AEBFF2BF82205B1884DBD0649B116C7345556CB82
                                                                                                                                                                                                                                        Function 080B0DF8 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: de9e371ad55b5a1702c17b25bc1df1aa630ac7d04eb854d65d00e6c24480c342
                                                                                                                                                                                                                                        • Instruction ID: c0ba5ce3ff5a59aa6b8ce0eda1cf652e8375ecd3c23371aef99288cd53bdb9fe
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: de9e371ad55b5a1702c17b25bc1df1aa630ac7d04eb854d65d00e6c24480c342
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B6E0EC31810A0CDDCB80EE78D90459A7BE8AB06211F00C52AE95D9A110F630D2D4CB80
                                                                                                                                                                                                                                        Function 080BB059 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 65fda85c1161962620d3363dff104a19c2a5266ff11fa5ae3773fa1678e76620
                                                                                                                                                                                                                                        • Instruction ID: d2dacfcf43a2fdc03b6c3004140dd90fe2d19457efcef757595e23c73cb66c9c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 65fda85c1161962620d3363dff104a19c2a5266ff11fa5ae3773fa1678e76620
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 89D05E24B08109ABD308EA759C5057E76A3B7C8722F50C469A85287384DD308802CA51
                                                                                                                                                                                                                                        Function 080B20D8 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: ba9c8bfa79a25b15fb200fd2dd0511a16790c69f89394431e67c7ed513b4e62b
                                                                                                                                                                                                                                        • Instruction ID: 3ce9eee4f0c4442cc3fc953dacc0bc9d278d91bd7547894b1bea8ca170ab1aa4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ba9c8bfa79a25b15fb200fd2dd0511a16790c69f89394431e67c7ed513b4e62b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: EDD0A7207042054F93002FF6640E3B637EFFBC05013858024A509CB180CF38D851D751
                                                                                                                                                                                                                                        Function 080BC2E2 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 153e2fe6c9a63dca3f2b56eb04120567eb91ae5b6776b810fe59489852873699
                                                                                                                                                                                                                                        • Instruction ID: 6056a8ce929ae3656990c82a153242d024bc5fcd22b5f249534464672317d196
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 153e2fe6c9a63dca3f2b56eb04120567eb91ae5b6776b810fe59489852873699
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 90D012E840E3CCDAAF1227FC28355FD3F7A260360370511CFE596A945384014441977B
                                                                                                                                                                                                                                        Function 080BC09F Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 993bdd4241e46ae8c49427e6907f355330d8f9708210d8aa57446ce23efb7c7c
                                                                                                                                                                                                                                        • Instruction ID: 2e6518cb1d0b971d6656a4fad178f6e01b525331412a1f1e21fa9087f08901ab
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 993bdd4241e46ae8c49427e6907f355330d8f9708210d8aa57446ce23efb7c7c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 18C08C6623C34CCBB004A1AC28248FE3A6F67C83033108607FA2B86101CE124C5009B3
                                                                                                                                                                                                                                        Function 080BC0A0 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6e09b97bbdb7d5b665a3831829f6b2e3402e4457659fe7f79648df16a372b5f7
                                                                                                                                                                                                                                        • Instruction ID: 6bb13ac58905b3ad9abcc18af76621d1eda25be17dc6ea3b0719522f79d86f59
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6e09b97bbdb7d5b665a3831829f6b2e3402e4457659fe7f79648df16a372b5f7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A9C04C6623C74CCBB504A1AD19245FD766F67C83037508617FA2B86145DE125C501967
                                                                                                                                                                                                                                        Function 07A191EE Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 2496fa7970418d094766887e940b09b3cf94510a1b82d2964d34c4e79345076a
                                                                                                                                                                                                                                        • Instruction ID: 627097d60816b983d4532a1a3a993f4b3fd230e8a8e6f652e74f86a7a7abed70
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 2496fa7970418d094766887e940b09b3cf94510a1b82d2964d34c4e79345076a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A5D0A9224097C40EDB0336344C20208BF30A8030213040382C0A4AB0E2E91822A883E2
                                                                                                                                                                                                                                        Function 080B6680 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 52631ba0103eed0fa6f3dc693425591b6ffdd9983d581c58a8435f6265200331
                                                                                                                                                                                                                                        • Instruction ID: 4db8c3fb22e57ec4f644dc83bb0f9c8c28799d46decd4fc7d78bce0f51d18a90
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 52631ba0103eed0fa6f3dc693425591b6ffdd9983d581c58a8435f6265200331
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50D0126515D3C48DC30B573494180A93F310C1721534E04CFD0D68F4B3C566180AD726
                                                                                                                                                                                                                                        Function 080BBCB0 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 360e8099f9d1d8848a9d08094752f273faf4c872a00bdd0a0475926294cb03f6
                                                                                                                                                                                                                                        • Instruction ID: a78dab760f0ab4a829b9bf56c37892f24d13d47afa0b492f9069b8d3133017f7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 360e8099f9d1d8848a9d08094752f273faf4c872a00bdd0a0475926294cb03f6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B2D012B2418151DFC300CF55DD96C8D3FF0BE1D301304098AC0054B362D330E412CB94
                                                                                                                                                                                                                                        Function 080BE318 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 838f98648b65403206ac023bc830299a73c9ae03066181c6f18f32055ff3c38f
                                                                                                                                                                                                                                        • Instruction ID: 8c31612139b9c242ed64caeaa8b65ed1ee32e1c06d07916ec10b1c4886510b26
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 838f98648b65403206ac023bc830299a73c9ae03066181c6f18f32055ff3c38f
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 82C08C3000220887C2042798FA0E7A4B7A89B00312F401628E148410308B745482C6A6
                                                                                                                                                                                                                                        Function 07A19228 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                                                                                                                                                                                                        • Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90
                                                                                                                                                                                                                                        Function 080BC2F0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 67e2bf0935e1c3bb6ab1e50f1d1d5bbdbba824b1a04f4d00ea30345a2ee1b95d
                                                                                                                                                                                                                                        • Instruction ID: e8b83a41bba82e0cf83d8692659e56a015e5f2472d5990a5207360ad56960abf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 67e2bf0935e1c3bb6ab1e50f1d1d5bbdbba824b1a04f4d00ea30345a2ee1b95d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B9B0127C00C20CC2350423DC20391FD363F3344A03B00011EE61F74800490114510453
                                                                                                                                                                                                                                        Function 080BB9C1 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 91adfb9954c8894290a95080192579a309cd1139d87aa21d68a66833fe5ec59b
                                                                                                                                                                                                                                        • Instruction ID: 44db449be6947cb5150a0e446a78e37b27ac7c3ddf2c45f54a80e28488a9d4a9
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 91adfb9954c8894290a95080192579a309cd1139d87aa21d68a66833fe5ec59b
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 7CC04CB0B5121ABFDB11CB55EF56DAD7A67BB04B11F100910E61266298D76049128690
                                                                                                                                                                                                                                        Function 080B6690 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1736814170.00000000080B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 080B0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_80b0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a38f22aead377daffe3a80a7f0f3b41693d9602d7414c096159f8d61bc0849c4
                                                                                                                                                                                                                                        • Instruction ID: 501cb98de13ee2e9d7f3c85be47af1c543d93c96fa41afc6012e846a714cfeb5
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a38f22aead377daffe3a80a7f0f3b41693d9602d7414c096159f8d61bc0849c4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 93A0112000820CCA82082288A00E0BE3B2E202830A3800800FA2B0A0A02A3B38220088

                                                                                                                                                                                                                                        Non-executed Functions

                                                                                                                                                                                                                                        Function 07A16D08 Relevance: 8.0, Strings: 6, Instructions: 500COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: 4'sq$4'sq$4'sq$4|xq$4|xq$$sq
                                                                                                                                                                                                                                        • API String ID: 0-2205469115
                                                                                                                                                                                                                                        • Opcode ID: 43194dbc3f08a6135a8b54fd37becf3202526b7b4682e5219b8be2d3ef907a8d
                                                                                                                                                                                                                                        • Instruction ID: 46afe50e905b6204489b3c7929125bf4206c86a6d4edce177d64ad1600279321
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 43194dbc3f08a6135a8b54fd37becf3202526b7b4682e5219b8be2d3ef907a8d
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E3F1E5F57002128FEB29DB79C49462E7BB6BFC5700B1A84A9E526CB361CF31DC428791
                                                                                                                                                                                                                                        Function 07A11230 Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735748928.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_7a10000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID: d
                                                                                                                                                                                                                                        • API String ID: 0-2564639436
                                                                                                                                                                                                                                        • Opcode ID: bc59afa8f304527a57c615843e1faecd1af5337ae5327fe513a31f8ccb69814a
                                                                                                                                                                                                                                        • Instruction ID: 1cbf74a9b2f5abfb070ac1f8247d0e19d0a74d2e09188848d16b21f3d41f94a8
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: bc59afa8f304527a57c615843e1faecd1af5337ae5327fe513a31f8ccb69814a
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: FE51D5B1E04229CFDB28DF6ACC447DEB7B2BB89311F4081EAD518A7254DB345A85CF50
                                                                                                                                                                                                                                        Function 084134E8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: b156a73b82d2fa1a0ef5be7296ff260e1bad50e8eace70aaf9ceb2acba287a45
                                                                                                                                                                                                                                        • Instruction ID: 9a05831e6ac3ad3a334f6e548b4f705ad89013a1638c52da4616f9c93c85af6d
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b156a73b82d2fa1a0ef5be7296ff260e1bad50e8eace70aaf9ceb2acba287a45
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F4E1B6B4E041198FCB14DFA9C5909AEFBF2FF89305F24816AD814AB355DB34A942CF61
                                                                                                                                                                                                                                        Function 084130B0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: a5f18502962d667224a4309efccf961bbbb002caa63aecc406fce882005f0d8e
                                                                                                                                                                                                                                        • Instruction ID: 85df6e0728b4eb9ae1153b6c01d6059a36a8a5fd434ab434bbf3598f573ea9ba
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a5f18502962d667224a4309efccf961bbbb002caa63aecc406fce882005f0d8e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 6EE1D574E041198FCB14DFA9C6809AEFBF2FF89305F24816AD814AB355DB34A946CF61
                                                                                                                                                                                                                                        Function 08413920 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f745a065bebef2c8a2ae1a9f4b83f67765b9431902456857224fd3b78a932864
                                                                                                                                                                                                                                        • Instruction ID: bbf02632fbfa92872d6b828b901da1d32096e80ec1a3db28c22225d0013345d3
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f745a065bebef2c8a2ae1a9f4b83f67765b9431902456857224fd3b78a932864
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B0E1D874E041198FCB14DF99C6809AEBBF2FF89305F24816AD815AB355DB34AD42CF61
                                                                                                                                                                                                                                        Function 08414BC0 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 593936e315d61904605a71f6e79c61dc92c8686af58f175fb82e6b6f0aff7145
                                                                                                                                                                                                                                        • Instruction ID: d28daf841ffe5e7acf41a14b8ece52a18f79147f0101cef16026b6e9b84c853c
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 593936e315d61904605a71f6e79c61dc92c8686af58f175fb82e6b6f0aff7145
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 77E1D874E041198FCB14DFA9C5809AEBBF2FF89305F24816AD814AB355DB34AD42CF65
                                                                                                                                                                                                                                        Function 08414FF8 Relevance: .3, Instructions: 312COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1737113268.0000000008410000.00000040.00000800.00020000.00000000.sdmp, Offset: 08410000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_8410000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 806cb24d7fbb5e3d12069ced13f22b408384fb9b6fd6d003503946fdea17164e
                                                                                                                                                                                                                                        • Instruction ID: dcb29f3700e6ecf63e11f10b29b17b91df59c8380f3f23686a21f7fd358fa223
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 806cb24d7fbb5e3d12069ced13f22b408384fb9b6fd6d003503946fdea17164e
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 02E1D774E041198FCB14DFA9D5809AEFBF2FF89305F25816AD814AB355DB30A942CFA1
                                                                                                                                                                                                                                        Function 06786BA1 Relevance: .3, Instructions: 269COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735261971.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_6780000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 7f87f26863302812372b09052ed9cb009fd519e33e0dbbad0c0ab2948d9b9ee1
                                                                                                                                                                                                                                        • Instruction ID: 38f3b427415c7ba125003461bfcb3f188549778c5784a6053a5d5f8b96928feb
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 7f87f26863302812372b09052ed9cb009fd519e33e0dbbad0c0ab2948d9b9ee1
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D5D1E835D2075A8ACB00EB78D994699B7B1FF95300F10DB9AE4497B211FB706AD4CB82
                                                                                                                                                                                                                                        Function 056EE124 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1732888484.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_56e0000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: db7556ba0437d49ba06a03c6ece884cf08feb1096855627149f103fc486c3b67
                                                                                                                                                                                                                                        • Instruction ID: 47745b16ef5bc4ef3bc21344bd16c91d9eb8f30f12f2a9a3c8b17a2328939594
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: db7556ba0437d49ba06a03c6ece884cf08feb1096855627149f103fc486c3b67
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: F2A15C36E122058FCF05DFA4D8845EEBBB6FF85300B15856AE806AF265DB31E955CB80
                                                                                                                                                                                                                                        Function 06786BB0 Relevance: .3, Instructions: 264COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000000.00000002.1735261971.0000000006780000.00000040.00000800.00020000.00000000.sdmp, Offset: 06780000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_0_2_6780000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 39ae9391e55c54f0eeb64e70a0b8840caac36af248d95ba46edc1d6867d435fe
                                                                                                                                                                                                                                        • Instruction ID: 0b118239229a17152979586371872f801d65a8ae3725bfeb489fe7a23bbea04e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 39ae9391e55c54f0eeb64e70a0b8840caac36af248d95ba46edc1d6867d435fe
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: D2D1E935D1075A8ACB00EB68D994699B7B1FF95300F10DB9AE4497B211FF706AD4CF81

                                                                                                                                                                                                                                        Execution Graph

                                                                                                                                                                                                                                        Execution Coverage:7.1%
                                                                                                                                                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                                        Signature Coverage:0%
                                                                                                                                                                                                                                        Total number of Nodes:38
                                                                                                                                                                                                                                        Total number of Limit Nodes:7
                                                                                                                                                                                                                                        execution_graph 16265 f5d300 DuplicateHandle 16266 f5d396 16265->16266 16267 f54668 16268 f54684 16267->16268 16269 f54696 16268->16269 16271 f547a0 16268->16271 16272 f547c5 16271->16272 16276 f548a1 16272->16276 16280 f548b0 16272->16280 16277 f548b0 16276->16277 16278 f549b4 16277->16278 16284 f54248 16277->16284 16282 f548d7 16280->16282 16281 f549b4 16281->16281 16282->16281 16283 f54248 CreateActCtxA 16282->16283 16283->16281 16285 f55940 CreateActCtxA 16284->16285 16287 f55a03 16285->16287 16287->16287 16288 f5d0b8 16289 f5d0fe GetCurrentProcess 16288->16289 16291 f5d150 GetCurrentThread 16289->16291 16292 f5d149 16289->16292 16293 f5d186 16291->16293 16294 f5d18d GetCurrentProcess 16291->16294 16292->16291 16293->16294 16295 f5d1c3 16294->16295 16296 f5d1eb GetCurrentThreadId 16295->16296 16297 f5d21c 16296->16297 16298 f5ad38 16302 f5ae30 16298->16302 16307 f5ae20 16298->16307 16299 f5ad47 16303 f5ae64 16302->16303 16304 f5ae41 16302->16304 16303->16299 16304->16303 16305 f5b068 GetModuleHandleW 16304->16305 16306 f5b095 16305->16306 16306->16299 16308 f5ae41 16307->16308 16309 f5ae64 16307->16309 16308->16309 16310 f5b068 GetModuleHandleW 16308->16310 16309->16299 16311 f5b095 16310->16311 16311->16299

                                                                                                                                                                                                                                        Executed Functions

                                                                                                                                                                                                                                        Function 00F5D0A8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 294 f5d0a8-f5d147 GetCurrentProcess 298 f5d150-f5d184 GetCurrentThread 294->298 299 f5d149-f5d14f 294->299 300 f5d186-f5d18c 298->300 301 f5d18d-f5d1c1 GetCurrentProcess 298->301 299->298 300->301 303 f5d1c3-f5d1c9 301->303 304 f5d1ca-f5d1e5 call f5d289 301->304 303->304 307 f5d1eb-f5d21a GetCurrentThreadId 304->307 308 f5d223-f5d285 307->308 309 f5d21c-f5d222 307->309 309->308
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00F5D136
                                                                                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00F5D173
                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00F5D1B0
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F5D209
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2965143493.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_f50000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                                                                                                        • Opcode ID: c263425ec7dcee811ecea0a303bc5d01d60d7e98217920bf88ecaaf8c59fa161
                                                                                                                                                                                                                                        • Instruction ID: 211a99b2948b06b558c7ad797e9cbc90b7763da4a8b5e8dcaf987b156d3c80f7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: c263425ec7dcee811ecea0a303bc5d01d60d7e98217920bf88ecaaf8c59fa161
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 5051A6B0901349CFDB14CFA9D948BAEBBF1EF48324F208459E519B73A1DB345984CB61
                                                                                                                                                                                                                                        Function 00F5D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 316 f5d0b8-f5d147 GetCurrentProcess 320 f5d150-f5d184 GetCurrentThread 316->320 321 f5d149-f5d14f 316->321 322 f5d186-f5d18c 320->322 323 f5d18d-f5d1c1 GetCurrentProcess 320->323 321->320 322->323 325 f5d1c3-f5d1c9 323->325 326 f5d1ca-f5d1e5 call f5d289 323->326 325->326 329 f5d1eb-f5d21a GetCurrentThreadId 326->329 330 f5d223-f5d285 329->330 331 f5d21c-f5d222 329->331 331->330
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00F5D136
                                                                                                                                                                                                                                        • GetCurrentThread.KERNEL32 ref: 00F5D173
                                                                                                                                                                                                                                        • GetCurrentProcess.KERNEL32 ref: 00F5D1B0
                                                                                                                                                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 00F5D209
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2965143493.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_f50000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Current$ProcessThread
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2063062207-0
                                                                                                                                                                                                                                        • Opcode ID: b82f563166cd38b0676d9c6170ad30fd888938e4fe6f3917185b0fe3e3616cd7
                                                                                                                                                                                                                                        • Instruction ID: 646959cca9ed6044e3d4a294a76ed828de28efac59da0b4ab0540e5498e06ea4
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: b82f563166cd38b0676d9c6170ad30fd888938e4fe6f3917185b0fe3e3616cd7
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 865176B0901349CFDB14CFAAD948BAEBBF5EF48324F208419E519B73A0DB745984CB65
                                                                                                                                                                                                                                        Function 00F5AE30 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 207COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 338 f5ae30-f5ae3f 339 f5ae41-f5ae4e call f59838 338->339 340 f5ae6b-f5ae6f 338->340 347 f5ae64 339->347 348 f5ae50 339->348 341 f5ae71-f5ae7b 340->341 342 f5ae83-f5aec4 340->342 341->342 349 f5aec6-f5aece 342->349 350 f5aed1-f5aedf 342->350 347->340 397 f5ae56 call f5b0c8 348->397 398 f5ae56 call f5b0b8 348->398 349->350 351 f5aee1-f5aee6 350->351 352 f5af03-f5af05 350->352 356 f5aef1 351->356 357 f5aee8-f5aeef call f5a814 351->357 355 f5af08-f5af0f 352->355 353 f5ae5c-f5ae5e 353->347 354 f5afa0-f5afb7 353->354 371 f5afb9-f5b018 354->371 359 f5af11-f5af19 355->359 360 f5af1c-f5af23 355->360 358 f5aef3-f5af01 356->358 357->358 358->355 359->360 362 f5af25-f5af2d 360->362 363 f5af30-f5af39 call f5a824 360->363 362->363 369 f5af46-f5af4b 363->369 370 f5af3b-f5af43 363->370 372 f5af4d-f5af54 369->372 373 f5af69-f5af76 369->373 370->369 389 f5b01a-f5b01c 371->389 372->373 374 f5af56-f5af66 call f5a834 call f5a844 372->374 378 f5af99-f5af9f 373->378 379 f5af78-f5af96 373->379 374->373 379->378 390 f5b01e-f5b046 389->390 391 f5b048-f5b060 389->391 390->391 392 f5b062-f5b065 391->392 393 f5b068-f5b093 GetModuleHandleW 391->393 392->393 394 f5b095-f5b09b 393->394 395 f5b09c-f5b0b0 393->395 394->395 397->353 398->353
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00F5B086
                                                                                                                                                                                                                                        Strings
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2965143493.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_f50000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                                                                                                        • String ID: 0V$0V
                                                                                                                                                                                                                                        • API String ID: 4139908857-4216712621
                                                                                                                                                                                                                                        • Opcode ID: ed80c831330209958bf9edd474a2b3b52742a35bf67e1d6cf48f6365e97605e5
                                                                                                                                                                                                                                        • Instruction ID: 88f496613586626c55949ad088843e99a729110a761afdc82cf8d08724dee8c6
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: ed80c831330209958bf9edd474a2b3b52742a35bf67e1d6cf48f6365e97605e5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 50817AB0A00B058FD724DF69D44176ABBF1FF48315F008A2DD646D7A40D734E85ADB91
                                                                                                                                                                                                                                        Function 00F55935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 451 f55935-f5593c 452 f55944-f55a01 CreateActCtxA 451->452 454 f55a03-f55a09 452->454 455 f55a0a-f55a64 452->455 454->455 462 f55a66-f55a69 455->462 463 f55a73-f55a77 455->463 462->463 464 f55a79-f55a85 463->464 465 f55a88 463->465 464->465 466 f55a89 465->466 466->466
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 00F559F1
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2965143493.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_f50000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Create
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                                                                                                        • Opcode ID: 1944ad69e42d79b7c213f888c95d33803b9918a9741f7fac0fc8574ea5d640c5
                                                                                                                                                                                                                                        • Instruction ID: 7cddbd798ad45411647a565c72e0a68a84d7d69bd0d5183831f8e9615a2b9a58
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1944ad69e42d79b7c213f888c95d33803b9918a9741f7fac0fc8574ea5d640c5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 8E41F0B0C00619CEDB24CFA9C984BCDBBB5FF48314F60815AD918BB251DB756949CF90
                                                                                                                                                                                                                                        Function 00F54248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 468 f54248-f55a01 CreateActCtxA 471 f55a03-f55a09 468->471 472 f55a0a-f55a64 468->472 471->472 479 f55a66-f55a69 472->479 480 f55a73-f55a77 472->480 479->480 481 f55a79-f55a85 480->481 482 f55a88 480->482 481->482 483 f55a89 482->483 483->483
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 00F559F1
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2965143493.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_f50000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: Create
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 2289755597-0
                                                                                                                                                                                                                                        • Opcode ID: a484c9c953001a9bfc288154ddf1318f514c5d64a01f576d0da09c2b2bf20833
                                                                                                                                                                                                                                        • Instruction ID: 03fca56b50e8908fe6434e59c593ec4d8980b8dc32cb1bd2b24f9577fb7db64f
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: a484c9c953001a9bfc288154ddf1318f514c5d64a01f576d0da09c2b2bf20833
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: DC41F1B0C00619CADB24CFA9C984B8EBBB5FF48714F60815AD908AB251DB756949CF90
                                                                                                                                                                                                                                        Function 00F5D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 485 f5d2f9-f5d394 DuplicateHandle 486 f5d396-f5d39c 485->486 487 f5d39d-f5d3ba 485->487 486->487
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F5D387
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2965143493.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_f50000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                                                                                        • Opcode ID: 8b8fff15d23931660fe656e3cf31a41bd26b7f82c5209b251fbc09d1cf2bc9f4
                                                                                                                                                                                                                                        • Instruction ID: b2828d21a5734f0ba6304316d155d713f8ed865a3f94119e64bfa38b7eb1bd54
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 8b8fff15d23931660fe656e3cf31a41bd26b7f82c5209b251fbc09d1cf2bc9f4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: B821E4B5D01209DFDB10CFA9D585AEEBBF5EB48324F14841AE918B7310D378A944DF61
                                                                                                                                                                                                                                        Function 00F5D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 490 f5d300-f5d394 DuplicateHandle 491 f5d396-f5d39c 490->491 492 f5d39d-f5d3ba 490->492 491->492
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F5D387
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2965143493.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_f50000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: DuplicateHandle
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 3793708945-0
                                                                                                                                                                                                                                        • Opcode ID: d2a3e6317b77a8a3251aa042a18909ee4a60fd317bb316b62e6cb5e618e1724c
                                                                                                                                                                                                                                        • Instruction ID: 98eaf12b4c63a4d1fbb5e08f5aa30f31281f39c3c6d54fb9867d2b93fe3efc62
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d2a3e6317b77a8a3251aa042a18909ee4a60fd317bb316b62e6cb5e618e1724c
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: A821E4B5D01248DFDB10CFAAD984ADEBBF8EB48324F14801AE918A3310D374A944DFA1
                                                                                                                                                                                                                                        Function 00F5B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                        Download Yara Rule

                                                                                                                                                                                                                                        Control-flow Graph

                                                                                                                                                                                                                                        • Executed
                                                                                                                                                                                                                                        • Not Executed
                                                                                                                                                                                                                                        control_flow_graph 495 f5b020-f5b060 496 f5b062-f5b065 495->496 497 f5b068-f5b093 GetModuleHandleW 495->497 496->497 498 f5b095-f5b09b 497->498 499 f5b09c-f5b0b0 497->499 498->499
                                                                                                                                                                                                                                        APIs
                                                                                                                                                                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00F5B086
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2965143493.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_f50000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID: HandleModule
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID: 4139908857-0
                                                                                                                                                                                                                                        • Opcode ID: 1ecad55d53791c85a96b4560bb46e33ba08816d20ba7182b086dc69331a2ef49
                                                                                                                                                                                                                                        • Instruction ID: 7ea39824da653fb7fd053edd0257ae3ea72a4550ce8380f18a158481e40e54d7
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 1ecad55d53791c85a96b4560bb46e33ba08816d20ba7182b086dc69331a2ef49
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2711DFB6C003498FCB20DF9AD444A9EFBF4AB88324F14841AD929A7650D379A549CFA1
                                                                                                                                                                                                                                        Function 00EED3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2964818153.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_eed000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: f203294d0bfdeba7cd3cc21e87aebe75773e3fa255aa35a86e88f30c4bcb9f21
                                                                                                                                                                                                                                        • Instruction ID: 609e8598fefc3030188385bce9e1cf518b6d4e0f3cf08d3f01f232e6fa301afa
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: f203294d0bfdeba7cd3cc21e87aebe75773e3fa255aa35a86e88f30c4bcb9f21
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 17216AB1108288DFCB15DF05DDC0B26BF65FBA4324F20C56DE9095B296C336E856CBA2
                                                                                                                                                                                                                                        Function 00EFD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2964893158.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_efd000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 5d8b16915786058029602b6a63f893af8f095e257a0e5220716942a01c6754f4
                                                                                                                                                                                                                                        • Instruction ID: 29ec7efaa53a1f0a42c0aa99a4756e830718f85773f712ace64a461afff67c3e
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 5d8b16915786058029602b6a63f893af8f095e257a0e5220716942a01c6754f4
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 2A212571608208DFCB14DF14D9C0B26BF67FB84318F20C56DEA0A5B286CB36D807CA61
                                                                                                                                                                                                                                        Function 00EFD005 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2964893158.0000000000EFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EFD000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_efd000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 22440d7a8e3995d3cac036e1369c559f696353215ba2b4972dc1c8e9c05a96c5
                                                                                                                                                                                                                                        • Instruction ID: 2221c96717e57c72739809ff565426609b1be7c0c815b2274d3426e8282d68bf
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 22440d7a8e3995d3cac036e1369c559f696353215ba2b4972dc1c8e9c05a96c5
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: BB21837550D3848FD712CF24D990715BF72EB46314F28C5EAD9498B6A7C33A980ACB62
                                                                                                                                                                                                                                        Function 00EED3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2964818153.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_eed000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                        • Instruction ID: 6eaa5000ce29e19f6d92298d385b30d3da16bbc3a56acbc7340f83b3971670db
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 67112976404284CFCB11CF00D9C0B16BF71FBA4324F24C2A9D8094B656C33AD456CB91
                                                                                                                                                                                                                                        Function 00EED5F3 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2964818153.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_eed000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: 6d51a604c7a1a6c4aea4b22d5df149748f276ca46cf17028b2de22b051d665f6
                                                                                                                                                                                                                                        • Instruction ID: 8db78a1ab180cc788f867d0d4ea9aed29077729d282afed4d9b39e5587c9b636
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: 6d51a604c7a1a6c4aea4b22d5df149748f276ca46cf17028b2de22b051d665f6
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: E4F049B6600644AF9720CF0ADC84C23FBADFBD4774719C05AE84A4B612C671FC01CAA0
                                                                                                                                                                                                                                        Function 00EED5E4 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                        Download Yara Rule
                                                                                                                                                                                                                                        Memory Dump Source
                                                                                                                                                                                                                                        • Source File: 00000002.00000002.2964818153.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                                                                                                                                                                                                        Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                        • Snapshot File: hcaresult_2_2_eed000_C5Zr4LSzmp.jbxd
                                                                                                                                                                                                                                        Similarity
                                                                                                                                                                                                                                        • API ID:
                                                                                                                                                                                                                                        • String ID:
                                                                                                                                                                                                                                        • API String ID:
                                                                                                                                                                                                                                        • Opcode ID: cf86237a8107873c96dd186d7d129afbf9569e78d04d4a661de9da3b2116a5bf
                                                                                                                                                                                                                                        • Instruction ID: 0abf5e32df0c2936e479b09798160465b8bd7915167e95f7a0845bc2f370b953
                                                                                                                                                                                                                                        • Opcode Fuzzy Hash: cf86237a8107873c96dd186d7d129afbf9569e78d04d4a661de9da3b2116a5bf
                                                                                                                                                                                                                                        • Instruction Fuzzy Hash: 0FF08C75104680AFD325CF06CC80C22BFB9EFC57607198489E88A4B212C631FC02CBA0